Heartbleed OpenSSL Vulnerability

Risk:
High

Type:
Active

CWE:
CWE-119

Summary: The TLS implementation in OpenSSL 1.0.1 before 1.0.1g does not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

Solution: Update to OpenSSL 1.0.1g or later. Re-issue HTTPS certificates. Change asymmetric private keys and shared secret keys, since these may have been compromised, with no evidence of compromise in the server log files.

Other info: This issue was confirmed by exfiltrating data from the server, using TLS 1.1. This is unlikely to be a false positive.

References: https://nvd.nist.gov/vuln/detail/CVE-2014-0160

Free security scan for your website

Don't show website scan report rating on the leaderboard