CVE-2014-0160 Heartbleed


Severity

Critical

Vendor

OpenSSL.org

Versions Affected
  • 1.0.1 through 1.0.1f
Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

  • vFabric Web Server 5.0.x, 5.1.x, 5.2.x, 5.3.x
  • vFabric GemFire Native Client 7.0.0.X, 7.0.1.X
  • Pivotal GemFire Native Client 7.0.2.X
  • Pivotal Command Center 2.0.x, 2.1.x
  • Pivotal App Suite Virtual Appliance 1.0.1.3
Mitigation

Users of affected versions should apply the following mitigation:

  • vFabric Web Server users (all versions) should apply the patch including version 1.0.1g of OpenSSL per the instructions posted here as soon as possible.
  • GemFire Native Client 7.0.X users should immediately upgrade to OpenSSL 1.0.1g or later or recompile their existing OpenSSL 1.0.1 installations with the –DOPENSSL_NO_HEARTBEATS option. See CVE-2014-0160-GemFire-Native-Client for more information.
  • Please see this doc for Pivotal Command Center.
  • Pivotal App Suite Virtual Appliance 1.0.1.3 users should upgrade to version 1.0.1.5 as soon as possible.
Credit

This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. The Codenomicon team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to the OpenSSL team.

References
History

2014-Apr-7: Initial vulnerability report published.