CVE-2014-0160

Known Exploited Public Exploit

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

References

Link	Tags
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217	third party advisory
http://www.securitytracker.com/id/1030077	vdb entry broken link third party advisory
http://seclists.org/fulldisclosure/2014/Apr/90	mailing list third party advisory
http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/	third party advisory
http://www.debian.org/security/2014/dsa-2896	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139774054614965&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139889113431619&w=2	vendor advisory mailing list third party advisory
http://rhn.redhat.com/errata/RHSA-2014-0396.html	vendor advisory third party advisory
http://marc.info/?l=bugtraq&m=139835815211508&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=141287864628122&w=2	vendor advisory mailing list third party advisory
http://www.kb.cert.org/vuls/id/720951	third party advisory us government resource
http://www.splunk.com/view/SP-CAAAMB3	third party advisory
http://marc.info/?l=bugtraq&m=139905295427946&w=2	vendor advisory mailing list third party advisory
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0	broken link
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf	broken link third party advisory
http://marc.info/?l=bugtraq&m=139833395230364&w=2	vendor advisory mailing list third party advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21670161	broken link
http://www.vmware.com/security/advisories/VMSA-2014-0012.html	broken link
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=142660345230545&w=2	vendor advisory mailing list third party advisory
http://seclists.org/fulldisclosure/2014/Apr/109	mailing list third party advisory
http://marc.info/?l=bugtraq&m=140724451518351&w=2	vendor advisory mailing list third party advisory
http://www.securitytracker.com/id/1030080	vdb entry broken link third party advisory
http://secunia.com/advisories/57836	broken link third party advisory
http://www-01.ibm.com/support/docview.wss?uid=isg400001843	third party advisory
http://marc.info/?l=bugtraq&m=139808058921905&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139758572430452&w=2	vendor advisory mailing list third party advisory
http://www.securityfocus.com/bid/66690	vdb entry broken link third party advisory
http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf	not applicable
https://filezilla-project.org/versions.php?type=server	release notes
http://marc.info/?l=bugtraq&m=139843768401936&w=2	vendor advisory mailing list third party advisory
http://secunia.com/advisories/57483	broken link third party advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed	vendor advisory third party advisory
http://www.kerio.com/support/kerio-control/release-history	broken link third party advisory
http://advisories.mageia.org/MGASA-2014-0165.html	third party advisory
http://www.blackberry.com/btsc/KB35882	broken link
http://marc.info/?l=bugtraq&m=140075368411126&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139905351928096&w=2	vendor advisory mailing list third party advisory
http://www.securitytracker.com/id/1030081	vdb entry broken link third party advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html	vendor advisory broken link third party advisory
http://www.securityfocus.com/archive/1/534161/100/0/threaded	mailing list broken link not applicable vdb entry third party advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html	vendor advisory broken link third party advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1084875	issue tracking third party advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html	vendor advisory mailing list third party advisory
http://www-01.ibm.com/support/docview.wss?uid=isg400001841	third party advisory
http://marc.info/?l=bugtraq&m=139824993005633&w=2	vendor advisory mailing list third party advisory
http://www.securitytracker.com/id/1030079	vdb entry broken link third party advisory
http://rhn.redhat.com/errata/RHSA-2014-0377.html	vendor advisory third party advisory
http://marc.info/?l=bugtraq&m=139722163017074&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139889295732144&w=2	vendor advisory mailing list third party advisory
https://code.google.com/p/mod-spdy/issues/detail?id=85	issue tracking
http://marc.info/?l=bugtraq&m=139765756720506&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139774703817488&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139905202427693&w=2	vendor advisory mailing list third party advisory
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/	release notes
http://heartbleed.com/	third party advisory
http://marc.info/?l=bugtraq&m=139817782017443&w=2	vendor advisory mailing list third party advisory
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01	broken link
http://marc.info/?l=bugtraq&m=140015787404650&w=2	vendor advisory mailing list third party advisory
http://cogentdatahub.com/ReleaseNotes.html	release notes
http://marc.info/?l=bugtraq&m=139869720529462&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139842151128341&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139905243827825&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139905458328378&w=2	vendor advisory mailing list third party advisory
http://www.f-secure.com/en/web/labs_global/fsc-2014-1	broken link third party advisory
http://www.us-cert.gov/ncas/alerts/TA14-098A	third party advisory us government resource
http://secunia.com/advisories/57347	broken link third party advisory
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html	mailing list third party advisory
http://seclists.org/fulldisclosure/2014/Apr/173	mailing list third party advisory
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160	issue tracking
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html	patch third party advisory
http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html	patch third party advisory
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html	third party advisory
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f379b0c154650d6c108e9a3	broken link
https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken	broken link vendor advisory
http://seclists.org/fulldisclosure/2014/Dec/23	mailing list third party advisory
http://marc.info/?l=bugtraq&m=139905653828999&w=2	vendor advisory mailing list third party advisory
http://www.ubuntu.com/usn/USN-2165-1	vendor advisory third party advisory
http://rhn.redhat.com/errata/RHSA-2014-0378.html	vendor advisory third party advisory
http://marc.info/?l=bugtraq&m=139757919027752&w=2	vendor advisory mailing list third party advisory
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html	vendor advisory mailing list third party advisory
http://www.exploit-db.com/exploits/32764	exploit vdb entry third party advisory
http://marc.info/?l=bugtraq&m=139757726426985&w=2	vendor advisory mailing list third party advisory
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00	third party advisory
http://marc.info/?l=bugtraq&m=139869891830365&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139905868529690&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139817685517037&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=140752315422991&w=2	vendor advisory mailing list third party advisory
http://seclists.org/fulldisclosure/2014/Apr/91	mailing list third party advisory
http://www.securitytracker.com/id/1030078	vdb entry broken link third party advisory
http://secunia.com/advisories/59243	broken link third party advisory
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661	third party advisory
http://marc.info/?l=bugtraq&m=139836085512508&w=2	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139824923705461&w=2	vendor advisory mailing list third party advisory
http://rhn.redhat.com/errata/RHSA-2014-0376.html	vendor advisory third party advisory
http://marc.info/?l=bugtraq&m=139835844111589&w=2	vendor advisory mailing list third party advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062	vendor advisory broken link third party advisory
https://www.cert.fi/en/reports/2014/vulnerability788210.html	not applicable third party advisory
http://secunia.com/advisories/57721	broken link third party advisory
http://secunia.com/advisories/57968	broken link third party advisory
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/	issue tracking third party advisory
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3	permissions required third party advisory
http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html	vendor advisory mailing list third party advisory
http://marc.info/?l=bugtraq&m=139905405728262&w=2	vendor advisory mailing list third party advisory
http://www.securitytracker.com/id/1030082	vdb entry broken link third party advisory
http://marc.info/?l=bugtraq&m=139757819327350&w=2	vendor advisory mailing list third party advisory
http://www.exploit-db.com/exploits/32745	exploit vdb entry third party advisory
http://seclists.org/fulldisclosure/2014/Apr/190	mailing list third party advisory
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/	release notes
http://marc.info/?l=bugtraq&m=139817727317190&w=2	vendor advisory mailing list third party advisory
https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008	third party advisory
http://www.openssl.org/news/secadv_20140407.txt	broken link vendor advisory
https://gist.github.com/chapmajs/10473815	exploit
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1	third party advisory
http://www.securitytracker.com/id/1030074	vdb entry broken link third party advisory
http://support.citrix.com/article/CTX140605	third party advisory
http://secunia.com/advisories/59139	broken link third party advisory
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/	release notes
http://secunia.com/advisories/57966	broken link third party advisory
http://www.securitytracker.com/id/1030026	vdb entry broken link third party advisory
http://secunia.com/advisories/59347	broken link third party advisory
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E	patch mailing list third party advisory
https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3E	patch mailing list third party advisory
https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html	exploit permissions required third party advisory
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E	patch mailing list third party advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf	third party advisory
https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3E	patch mailing list third party advisory
https://yunus-shn.medium.com/ricon-industrial-cellular-router-heartbleed-attack-2634221c02bd	exploit broken link third party advisory

Frequently Asked Questions

What is the severity of CVE-2014-0160?: CVE-2014-0160 has been scored as a high severity vulnerability.
How to fix CVE-2014-0160?: To fix CVE-2014-0160, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2014-0160 being actively exploited in the wild?: It is confirmed that CVE-2014-0160 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~94% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-125 – Out-of-bounds Read

References

Frequently Asked Questions