| VID |
22617 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server is running a version of OpenSSL 1.0.1 prior to 1.0.1g and vulnerable to Heartbleed bug and side-channel attack. The OpenSSL library is, therefore, reportedly affected by the following vulnerabilities :
- An error exists related to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce disclosure via the 'FLUSH+RELOAD' cache side-channel attack. (CVE-2014-0076)
- An out-of-bounds read error, known as the 'Heartbleed Bug', exists related to handling TLS heartbeat extensions that could allow an attacker to obtain sensitive information such as primary key material, secondary key material and other protected content. (CVE-2014-0160)
* References:
http://heartbleed.com/
http://eprint.iacr.org/2014/140
http://www.openssl.org/news/vulnerabilities.html#2014-0076
http://www.openssl.org/news/vulnerabilities.html#2014-0160
http://www.mail-archive.com/openssl-announce@openssl.org/msg00131.html
* Platforms Affected:
OpenSSL 1.0.1 prior to 1.0.1g
Linux Any version
Unix Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of OpenSSL (1.0.1g or later), available from the OpenSSL Web site at http://www.openssl.org/ |
| Related URL |
CVE-2014-0076,CVE-2014-0160 (CVE) |
| Related URL |
66363,66690 (SecurityFocus) |
| Related URL |
(ISS) |
|
