ZAP – Heartbleed OpenSSL Vulnerability

Details
Alert ID	20015
Alert Type	Active
Status	release
Risk	High
CWE	119
WASC	20
Technologies Targeted	All
Tags	CVE-2014-0160 CWE-119 OWASP_2017_A09 OWASP_2021_A06 WSTG-V42-CRYP-01
More Info	Scan Rule Help

Summary

The TLS implementation in OpenSSL 1.0.1 before 1.0.1g does not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

Solution

Update to OpenSSL 1.0.1g or later. Re-issue HTTPS certificates. Change asymmetric private keys and shared secret keys, since these may have been compromised, with no evidence of compromise in the server log files.

Other Info

This issue was confirmed by exfiltrating data from the server, using TLS 1.1. This is unlikely to be a false positive.

References

https://nvd.nist.gov/vuln/detail/CVE-2014-0160

Code

org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java