HeartBleed

Description

The TLS implementation in OpenSSL 1.0.1 before 1.0.1g does not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

Remediation

To effectively prevent HeartBleed attacks:

Update to OpenSSL 1.0.1g or later.
Re-issue HTTPS certificates.
Change asymmetric private keys and shared secret keys, since these may have been compromised with no evidence of corruption in the server log files.

Configuration

Identifier: protocol/heartbleed

Examples

Ignore this check

{
    "checks": {
        "protocol/heartbleed": {
            "skip": true
        }
    }
}

Score

Escape Severity: HIGH
- OWASP: API7:2023
- CWE
  - 118
  - 119
  - 125
  - 126
  - 664

CVSS

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
CVSS_SCORE: 7.2

References

https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0160

HeartBleed

Description​

Remediation​

Configuration​

Examples​

Ignore this check​

Score​

CVSS​

References​