Article ID: 16130
Products
The issue affects products which use OpenSSL 1.0.1 (March 2012) through 1.0.1f for SSL/HTTPS support.
OpenSSL 1.0.1g, released April 7 2014, resolves the vulnerability.
Affected:
- Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
- Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
- 64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
- 64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
- 64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0
Discussion
Vulnerability notification
CVE-2014-0160 was released on April 7 2014.
Its Overview states:
code:The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
The high visibility and potentially high impact of this issue has spawned many follow-up reports which are visible in a web search for "
" or "
".
Patches have been developed to address this vulnerability across all affected products, and these will be included in subsequent GA releases. Patch availability is discussed in
16131, which addresses this issue being tracked as US-CERT Vulnerability Advisory VU#720951.
