National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2014-0160 Detail

Current Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Source:  MITRE      Last Modified:  04/07/2014      View Analysis Description

Quick Info

CVE Dictionary Entry:
CVE-2014-0160
Original release date:
04/07/2014
Last revised:
12/15/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
5.0 MEDIUM
Vector:
(AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore:
2.9
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Allows unauthorized disclosure of information

Evaluator Impact

CVSS V2 scoring evaluates the impact of the vulnerability on the host where the vulnerability is located. When evaluating the impact of this vulnerability to your organization, take into account the nature of the data that is being protected and act according to your organization’s risk acceptance. While CVE-2014-0160 does not allow unrestricted access to memory on the targeted host, a successful exploit does leak information from memory locations which have the potential to contain particularly sensitive information, e.g., cryptographic keys and passwords. Theft of this information could enable other attacks on the information system, the impact of which would depend on the sensitivity of the data and functions of that system.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://advisories.mageia.org/MGASA-2014-0165.html External Source CONFIRM http://advisories.mageia.org/MGASA-2014-0165.html
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/ External Source MISC http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
http://cogentdatahub.com/ReleaseNotes.html External Source CONFIRM http://cogentdatahub.com/ReleaseNotes.html
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01 External Source CONFIRM http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 Vendor Advisory External Source CONFIRM http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
http://heartbleed.com/ External Source MISC http://heartbleed.com/
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html External Source FEDORA FEDORA-2014-4879
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html External Source FEDORA FEDORA-2014-4910
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html External Source FEDORA FEDORA-2014-9308
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html External Source SUSE openSUSE-SU-2014:0492
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html External Source SUSE SUSE-SA:2014:002
http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html External Source SUSE openSUSE-SU-2014:0560
http://marc.info/?l=bugtraq&m=139722163017074&w=2 External Source HP HPSBMU02995
http://marc.info/?l=bugtraq&m=139757726426985&w=2 External Source HP HPSBMU02994
http://marc.info/?l=bugtraq&m=139757819327350&w=2 External Source HP HPSBMU02998
http://marc.info/?l=bugtraq&m=139757919027752&w=2 External Source HP HPSBMU02997
http://marc.info/?l=bugtraq&m=139758572430452&w=2 External Source HP HPSBST03001
http://marc.info/?l=bugtraq&m=139765756720506&w=2 External Source HP HPSBMU02999
http://marc.info/?l=bugtraq&m=139774054614965&w=2 External Source HP HPSBGN03008
http://marc.info/?l=bugtraq&m=139774703817488&w=2 External Source HP HPSBGN03010
http://marc.info/?l=bugtraq&m=139808058921905&w=2 External Source HP HPSBMU03012
http://marc.info/?l=bugtraq&m=139817685517037&w=2 External Source HP HPSBMU03019
http://marc.info/?l=bugtraq&m=139817727317190&w=2 External Source HP HPSBMU03017
http://marc.info/?l=bugtraq&m=139817782017443&w=2 External Source HP HPSBMU03018
http://marc.info/?l=bugtraq&m=139824923705461&w=2 External Source HP HPSBST03015
http://marc.info/?l=bugtraq&m=139824993005633&w=2 External Source HP HPSBMU03013
http://marc.info/?l=bugtraq&m=139833395230364&w=2 External Source HP HPSBGN03011
http://marc.info/?l=bugtraq&m=139835815211508&w=2 External Source HP HPSBHF03021
http://marc.info/?l=bugtraq&m=139835844111589&w=2 External Source HP HPSBPI03014
http://marc.info/?l=bugtraq&m=139836085512508&w=2 External Source HP HPSBMU03020
http://marc.info/?l=bugtraq&m=139842151128341&w=2 External Source HP HPSBST03016
http://marc.info/?l=bugtraq&m=139843768401936&w=2 External Source HP HPSBMU03023
http://marc.info/?l=bugtraq&m=139869720529462&w=2 External Source HP HPSBMU03025
http://marc.info/?l=bugtraq&m=139869891830365&w=2 External Source HP HPSBMU03022
http://marc.info/?l=bugtraq&m=139889113431619&w=2 External Source HP HPSBMU03024
http://marc.info/?l=bugtraq&m=139889295732144&w=2 External Source HP HPSBPI03031
http://marc.info/?l=bugtraq&m=139905202427693&w=2 External Source HP HPSBMU03029
http://marc.info/?l=bugtraq&m=139905243827825&w=2 External Source HP HPSBMU03028
http://marc.info/?l=bugtraq&m=139905295427946&w=2 External Source HP HPSBMU03033
http://marc.info/?l=bugtraq&m=139905351928096&w=2 External Source HP HPSBMU03030
http://marc.info/?l=bugtraq&m=139905405728262&w=2 External Source HP HPSBMU03032
http://marc.info/?l=bugtraq&m=139905458328378&w=2 External Source HP HPSBMU03009
http://marc.info/?l=bugtraq&m=139905653828999&w=2 External Source HP HPSBST03004
http://marc.info/?l=bugtraq&m=139905868529690&w=2 External Source HP HPSBST03027
http://marc.info/?l=bugtraq&m=140015787404650&w=2 External Source HP HPSBMU03040
http://marc.info/?l=bugtraq&m=140075368411126&w=2 External Source HP HPSBMU03044
http://marc.info/?l=bugtraq&m=140724451518351&w=2 External Source HP HPSBMU03037
http://marc.info/?l=bugtraq&m=140752315422991&w=2 External Source HP HPSBMU03062
http://marc.info/?l=bugtraq&m=141287864628122&w=2 External Source HP HPSBHF03136
http://marc.info/?l=bugtraq&m=142660345230545&w=2 External Source HP SSRT101846
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1 External Source CONFIRM http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3 External Source CONFIRM http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3
http://rhn.redhat.com/errata/RHSA-2014-0376.html External Source REDHAT RHSA-2014:0376
http://rhn.redhat.com/errata/RHSA-2014-0377.html External Source REDHAT RHSA-2014:0377
http://rhn.redhat.com/errata/RHSA-2014-0378.html External Source REDHAT RHSA-2014:0378
http://rhn.redhat.com/errata/RHSA-2014-0396.html External Source REDHAT RHSA-2014:0396
http://seclists.org/fulldisclosure/2014/Apr/109 External Source FULLDISC 20140409 Re: heartbleed OpenSSL bug CVE-2014-0160
http://seclists.org/fulldisclosure/2014/Apr/173 External Source FULLDISC 20140411 MRI Rubies may contain statically linked, vulnerable OpenSSL
http://seclists.org/fulldisclosure/2014/Apr/190 External Source FULLDISC 20140412 Re: heartbleed OpenSSL bug CVE-2014-0160
http://seclists.org/fulldisclosure/2014/Apr/90 External Source FULLDISC 20140408 heartbleed OpenSSL bug CVE-2014-0160
http://seclists.org/fulldisclosure/2014/Apr/91 External Source FULLDISC 20140408 Re: heartbleed OpenSSL bug CVE-2014-0160
http://seclists.org/fulldisclosure/2014/Dec/23 External Source FULLDISC 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
http://secunia.com/advisories/59139 External Source SECUNIA 59139
http://secunia.com/advisories/59243 External Source SECUNIA 59243
http://secunia.com/advisories/59347 External Source SECUNIA 59347
http://support.citrix.com/article/CTX140605 External Source CONFIRM http://support.citrix.com/article/CTX140605
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed External Source CISCO 20140409 OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf External Source CONFIRM http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
http://www.blackberry.com/btsc/KB35882 External Source CONFIRM http://www.blackberry.com/btsc/KB35882
http://www.debian.org/security/2014/dsa-2896 External Source DEBIAN DSA-2896
http://www.exploit-db.com/exploits/32745 External Source EXPLOIT-DB 32745
http://www.exploit-db.com/exploits/32764 External Source EXPLOIT-DB 32764
http://www.f-secure.com/en/web/labs_global/fsc-2014-1 External Source CONFIRM http://www.f-secure.com/en/web/labs_global/fsc-2014-1
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ External Source CONFIRM http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/ External Source CONFIRM http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ External Source CONFIRM http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ External Source CONFIRM http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf External Source CONFIRM http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf
http://www.kb.cert.org/vuls/id/720951 US Government Resource External Source CERT-VN VU#720951
http://www.kerio.com/support/kerio-control/release-history External Source CONFIRM http://www.kerio.com/support/kerio-control/release-history
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 External Source MANDRIVA MDVSA-2015:062
http://www.openssl.org/news/secadv_20140407.txt Vendor Advisory External Source CONFIRM http://www.openssl.org/news/secadv_20140407.txt
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html External Source CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html External Source CONFIRM http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded External Source BUGTRAQ 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
http://www.securityfocus.com/bid/66690 External Source BID 66690
http://www.securitytracker.com/id/1030026 External Source SECTRACK 1030026
http://www.securitytracker.com/id/1030074 External Source SECTRACK 1030074
http://www.securitytracker.com/id/1030077 External Source SECTRACK 1030077
http://www.securitytracker.com/id/1030078 External Source SECTRACK 1030078
http://www.securitytracker.com/id/1030079 External Source SECTRACK 1030079
http://www.securitytracker.com/id/1030080 External Source SECTRACK 1030080
http://www.securitytracker.com/id/1030081 External Source SECTRACK 1030081
http://www.securitytracker.com/id/1030082 External Source SECTRACK 1030082
http://www.splunk.com/view/SP-CAAAMB3 External Source CONFIRM http://www.splunk.com/view/SP-CAAAMB3
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00 External Source CONFIRM http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00
http://www.ubuntu.com/usn/USN-2165-1 External Source UBUNTU USN-2165-1
http://www.us-cert.gov/ncas/alerts/TA14-098A US Government Resource External Source CERT TA14-098A
http://www.vmware.com/security/advisories/VMSA-2014-0012.html External Source CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0012.html
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 External Source CONFIRM http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
http://www-01.ibm.com/support/docview.wss?uid=isg400001841 External Source CONFIRM http://www-01.ibm.com/support/docview.wss?uid=isg400001841
http://www-01.ibm.com/support/docview.wss?uid=isg400001843 External Source CONFIRM http://www-01.ibm.com/support/docview.wss?uid=isg400001843
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661 External Source CONFIRM http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661
http://www-01.ibm.com/support/docview.wss?uid=swg21670161 External Source CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21670161
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 External Source MISC https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
https://bugzilla.redhat.com/show_bug.cgi?id=1084875 External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1084875
https://code.google.com/p/mod-spdy/issues/detail?id=85 External Source CONFIRM https://code.google.com/p/mod-spdy/issues/detail?id=85
https://filezilla-project.org/versions.php?type=server External Source CONFIRM https://filezilla-project.org/versions.php?type=server
https://gist.github.com/chapmajs/10473815 External Source MISC https://gist.github.com/chapmajs/10473815
https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken External Source HP HPSBST03000
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html External Source MLIST [syslog-ng-announce] 20140411 syslog-ng Premium Edition 5 LTS (5.0.4a) has been released
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html External Source CONFIRM https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217 External Source CONFIRM https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217
https://www.cert.fi/en/reports/2014/vulnerability788210.html External Source MISC https://www.cert.fi/en/reports/2014/vulnerability788210.html

Technical Details

Vulnerability Type (View All)

Change History 12 change records found - show changes