Описание
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.
Отчет
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6.4 and earlier, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2. This issue does affect Red Hat Enterprise Linux 7 Beta, Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e. Errata have been released to correct this issue. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/announcements/781953
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | openssl | Not affected | ||
| Red Hat Enterprise Linux 5 | openssl097a | Not affected | ||
| Red Hat Enterprise Linux 6 | openssl098e | Not affected | ||
| Red Hat Enterprise Linux 7 | openssl | Not affected | ||
| Red Hat Enterprise Linux 7 | openssl098e | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | openssl | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | openssl | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | others | Not affected | ||
| RHEV Manager | rhev-hypervisor | Affected | ||
| Red Hat Enterprise Linux 6 | openssl | Fixed | RHSA-2014:0376 | 08.04.2014 |
Показывать по
Дополнительная информация
Статус:
5 Medium
CVSS2
Связанные уязвимости
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1 ...
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
5 Medium
CVSS2