Heartbleed OpenSSL Vulnerability

Type: Active Scan

Risk: High

Description

The TLS implementation in OpenSSL 1.0.1 before 1.0.1g does not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

Solution

Update to OpenSSL 1.0.1g or later. Re-issue HTTPS certificates. Change asymmetric private keys and shared secret keys, since these may have been compromised, with no evidence of compromise in the server log files.

References

CWE: 119

WASC: 20

Code

Last updated: 2020-07-20 08:53:37.296Z