Details
Alert Id 10034
Alert Type Passive
Status release
Risk
CWE
WASC
Technologies Targeted All
Tags CVE-2014-0160
OWASP_2017_A09
OWASP_2021_A06
WSTG-V42-CRYP-01

Summary

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

Solution

Update to OpenSSL 1.0.1g or later. Re-issue HTTPS certificates. Change asymmetric private keys and shared secret keys, since these may have been compromised, with no evidence of compromise in the server log files.

Other Info

References

Code

org/zaproxy/zap/extension/pscanrules/HeartBleedScanRule.java