Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 8/29/2014 8:04:56 AM

CVE Publication rate: 13.33

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 5.87
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

National Cyber Awareness System

Vulnerability Summary for CVE-2014-0160

Original release date: 04/07/2014
Last revised: 07/24/2014
Source: US-CERT/NIST

Overview

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information
CVSS V2 scoring evaluates the impact of the vulnerability on the host where the vulnerability is located. When evaluating the impact of this vulnerability to your organization, take into account the nature of the data that is being protected and act according to your organization’s risk acceptance. While CVE-2014-0160 does not allow unrestricted access to memory on the targeted host, a successful exploit does leak information from memory locations which have the potential to contain particularly sensitive information, e.g., cryptographic keys and passwords. Theft of this information could enable other attacks on the information system, the impact of which would depend on the sensitivity of the data and functions of that system.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM
Name: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
Type: Advisory
External Source: MISC
Name: https://gist.github.com/chapmajs/10473815
External Source: CISCO
Name: 20140409 OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products
External Source: SECUNIA
Name: 57347
Type: Advisory
External Source: FULLDISC
Name: 20140408 heartbleed OpenSSL bug CVE-2014-0160
External Source: FULLDISC
Name: 20140408 Re: heartbleed OpenSSL bug CVE-2014-0160
External Source: SECUNIA
Name: 57968
Type: Advisory
External Source: CONFIRM
Name: http://cogentdatahub.com/ReleaseNotes.html
External Source: HP
Name: HPSBST03000
External Source: MLIST
Name: [syslog-ng-announce] 20140411 syslog-ng Premium Edition 5 LTS (5.0.4a) has been released
External Source: CONFIRM
Name: http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
External Source: SECUNIA
Name: 57966
Type: Advisory
External Source: CONFIRM
Name: http://advisories.mageia.org/MGASA-2014-0165.html
External Source: SECTRACK
Name: 1030077
External Source: REDHAT
Name: RHSA-2014:0376
External Source: REDHAT
Name: RHSA-2014:0378
US-CERT Vulnerability Note: CERT-VN
Name: VU#720951
External Source: CONFIRM
Name: https://code.google.com/p/mod-spdy/issues/detail?id=85
External Source: SECTRACK
Name: 1030080
External Source: HP
Name: HPSBMU03024
External Source: MISC
Name: https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
External Source: SECUNIA
Name: 57721
Type: Advisory
External Source: MISC
Name: http://heartbleed.com/
External Source: MISC
Name: https://www.cert.fi/en/reports/2014/vulnerability788210.html
External Source: CONFIRM
Name: http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
External Source: MISC
Name: http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
External Source: CONFIRM
Name: http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3
External Source: HP
Name: HPSBMU02995
External Source: FULLDISC
Name: 20140409 Re: heartbleed OpenSSL bug CVE-2014-0160
External Source: SUSE
Name: SUSE-SA:2014:002
External Source: CONFIRM
Name: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
External Source: FULLDISC
Name: 20140411 MRI Rubies may contain statically linked, vulnerable OpenSSL
External Source: CONFIRM
Name: https://filezilla-project.org/versions.php?type=server
External Source: BID
Name: 66690
External Source: SECTRACK
Name: 1030082
External Source: REDHAT
Name: RHSA-2014:0396
External Source: CONFIRM
Name: http://www.f-secure.com/en/web/labs_global/fsc-2014-1
External Source: CONFIRM
Name: http://www-01.ibm.com/support/docview.wss?uid=isg400001843
External Source: FEDORA
Name: FEDORA-2014-4910
External Source: SECTRACK
Name: 1030026
External Source: SECUNIA
Name: 57836
Type: Advisory
External Source: HP
Name: HPSBMU03022
External Source: EXPLOIT-DB
Name: 32745
External Source: CONFIRM
Name: http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/
External Source: CONFIRM
Name: http://www.openssl.org/news/secadv_20140407.txt
Type: Advisory
External Source: CONFIRM
Name: http://www.blackberry.com/btsc/KB35882
External Source: SECTRACK
Name: 1030074
External Source: FULLDISC
Name: 20140412 Re: heartbleed OpenSSL bug CVE-2014-0160
External Source: CONFIRM
Name: http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1
External Source: CONFIRM
Name: http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
External Source: CONFIRM
Name: https://bugzilla.redhat.com/show_bug.cgi?id=1084875
External Source: SECTRACK
Name: 1030081
External Source: SECTRACK
Name: 1030078
External Source: FEDORA
Name: FEDORA-2014-4879
External Source: HP
Name: HPSBMU03009
External Source: SUSE
Name: openSUSE-SU-2014:0492
External Source: REDHAT
Name: RHSA-2014:0377
External Source: CONFIRM
Name: http://www.kerio.com/support/kerio-control/release-history
External Source: SECTRACK
Name: 1030079
External Source: CONFIRM
Name: http://www.splunk.com/view/SP-CAAAMB3
US-CERT Vulnerability Note: CERT
Name: TA14-098A
External Source: CONFIRM
Name: http://www-01.ibm.com/support/docview.wss?uid=isg400001841
External Source: DEBIAN
Name: DSA-2896
External Source: SECUNIA
Name: 57483
Type: Advisory
External Source: EXPLOIT-DB
Name: 32764
External Source: CONFIRM
Name: http://www-01.ibm.com/support/docview.wss?uid=swg21670161
External Source: CONFIRM
Name: http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

Technical Details

Vulnerability Type (View All)