Heartbleed OpenSSL Vulnerability (Indicative)

  • 警报等级:
  • High

  • 警报类型:
  • Passive
摘要

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

解决方案

Update to OpenSSL 1.0.1g or later. Re-issue HTTPS certificates. Change asymmetric private keys and shared secret keys, since these may have been compromised, with no evidence of compromise in the server log files.

其他信息
OpenSSL/1.0.1e is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance.
参考

https://nvd.nist.gov/vuln/detail/CVE-2014-0160