|Bugzilla:||1084875: CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets|
An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6.4 and earlier, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat JBoss Web Server 1 and 2. This issue does affect Red Hat Enterprise Linux 7 Beta, Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e. Errata have been released to correct this issue.
Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/announcements/781953
CVSS v2 metrics
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat security errata
|RHEV Hypervisor for RHEL-6 (rhev-hypervisor6)||RHSA-2014:0378||April 08, 2014|
|RHEV Hypervisor for RHEL-6 (rhev-hypervisor6)||RHSA-2014:0396||April 10, 2014|
|RHEV-M for Servers (spice-client-msi)||RHSA-2014:0416||April 17, 2014|
|Red Hat Enterprise Linux version 6 (openssl)||RHSA-2014:0376||April 08, 2014|
|Red Hat Storage Server 2.1 (openssl)||RHSA-2014:0377||April 08, 2014|
Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Neel Mehta of Google Security as the original reporter.
This page is generated automatically and has not been checked for errors or omissions.
For clarification or corrections please contact the Red Hat Security Response Team.