Important OpenSSL Security Update: CVE-2014-0160 (Heartbleed)

Updated -

Overview

An information disclosure flaw was found in the way OpenSSL handled transport layer security (TLS) and datagram transport layer security (DTLS) Heartbeat Extension packets. This flaw is commonly referred to as the Heartbleed bug.

A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. (CVE-2014-0160)

This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6.4 and earlier and Red Hat Enterprise Linux 7. This issue does affect Red Hat Enterprise Linux 7 beta, Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided OpenSSL 1.0.1e.

Once you have updated your systems, you can use Red Hat's Heartbleed Detector to validate your systems have been secured. Reports from the security research community have now proven that private keys may be stolen from vulnerable systems. Red Hat strongly recommends that customers assess the risk this may pose to their systems and react accordingly (for example, by replacing SSL keys). For more information on this, please read Recovering from the Heartbleed Vulnerability.

Response Timeline

All times below are listed in UTC.

View Most Recent Update

  • 2014-04-14 17:08 - Red Hat updates recommendation to strongly consider replacing keys and certificates
  • 2014-04-08 11:22 - Red Hat Enterprise Virtualization Hypervisor advisory sent by email
  • 2014-04-08 11:14 - Red Hat Enterprise Virtualization Hypervisor update published to Red Hat Network
  • 2014-04-08 07:07 - Red Hat Storage advisory sent by email
  • 2014-04-08 06:48 - Red Hat Storage update published to Red Hat Network
  • 2014-04-08 03:21 - Red Hat Enterprise Linux advisory sent by email
  • 2014-04-08 02:09 - Red Hat Enterprise Linux update published to Red Hat Network
  • 2014-04-07 18:39 - OpenSSL security advisory is made public
  • 2014-04-07 17:25 - OpenSSL updates and web pages are made public
  • 2014-04-07 06:10 - Red Hat officially notified about the issue by OpenSSL under embargo

Most Recent Update

April 14th, 2014

Reports from the security research community have now proven that private keys may be stolen from vulnerable systems. Red Hat strongly recommends that customers assess the risk this may pose to their systems and react accordingly (for example, by replacing SSL keys). For more information on this, please read Recovering from the Heartbleed Vulnerability.

Statement on Red Hat Website Vulnerability

On April 7, 2014, the OpenSSL Project released an update to address the vulnerability identified by CVE-2014-0160 (also known as "Heartbleed").

Red Hat takes security seriously. The following Red Hat websites, which transmit customer data, were not reliant on a vulnerable OpenSSL library for SSL/TLS communication and were not affected by the "Heartbleed" vulnerability:

  • www.redhat.com
  • access.redhat.com (Red Hat Customer Portal)
  • rhn.redhat.com (Red Hat Network)

Translations of This Announcement

Select a language from the list below to read the corresponding translation of this announcement. The Response Timeline will only be maintained in English, so please refer back to this version of the announcement for the most current information.

  • Product
  • Red Hat Virtualization
  • Red Hat Storage Server
  • Red Hat Enterprise Linux
  • Category
  • Troubleshoot
  • Tags
  • openssl
  • security
  • ssl