CVE-2014-0160: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to…

high7.5CVSS 3.1

AVNACLPRNUINSUCHINAN

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2022-05-25

Exploited in the wild

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Affected

125 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	tomcat	—	—
broadcom	symantec_messaging_gateway	—	—
broadcom	symantec_messaging_gateway	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
cisco	asa	—	—
cisco	telepresence_system_mxp_series	—	—
cisco	telepresence_tc_and_te	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	openssl	< openssl 1.0.1g-1 (bookworm)	openssl 1.0.1g-1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
filezilla-project	filezilla_server	< 0.9.44	0.9.44
hp	integrated_lights-out_2_firmware	<= 2.23	—
hp	integrated_lights-out_2_firmware	—	—
hp	integrated_lights-out_2_firmware	—	—
hp	integrated_lights-out_2_firmware	—	—
hp	integrated_lights-out_2_firmware	—	—
hp	integrated_lights-out_2_firmware	—	—
hp	integrated_lights-out_2_firmware	—	—
hp	integrated_lights-out_2_firmware	—	—
hp	integrated_lights-out_2_firmware	—	—

CVSS provenance

nvd7.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

osv7.5HIGH

vulncheck7.5HIGH

cisa7.5HIGH