CVE site: http://cve.mitre.org/
More: http://heartbleed.com/
~
问题描述:OpenSSL处理TLS和DTLS心跳扩展包时有信息泄漏缺陷。TLS或DTLS客户端或服务器,可以通过发送特殊制造的TLS或DTLS心跳包,来透视连接的客户端或服务器限制访问的可能包含敏感信息的内存。
~
~
解决方法:升级 openssl,使用 Heartbleed 探测工具【1】【2】重新扫描系统,确保安全。
~
- Red Hat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1084875
- Red Hat solution: https://access.redhat.com/site/solutions/781793
- Red Hat CVE database: https://access.redhat.com/security/cve/CVE-2014-0160
- RHEL7 beta: openssl-1.0.1e-16.el6_5.7
- RHEL6: openssl-1.0.1e-34.el7
- Fedora: openssl-1.0.1e-37.fc20.1.x86_64
【1】https://access.redhat.com/site/labsinfo/heartbleed
【2】https://github.com/gavin-romig-koch/heartbleed
From: http://www.openssl.org/news/secadv_20140407.txt OpenSSL Security Advisory [07 Apr 2014] ======================================== TLS heartbeat read overrun (CVE-2014-0160) ========================================== A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
# rpm -qi openssl --changelog .... * Mon Apr 07 2014 Dennis Gilmore <dennis@ausil.us> - 1.0.1e-37.1 - pull in upstream patch for CVE-2014-0160 - removed CHANGES file portion from patch for expediency [amos@amosk tmp]$ python heartbleed-poc.py amosk.info Scanning amosk.info on port 443 Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 Message Type is 0x02 ... received message: type = 22, ver = 0302, length = 2555 Message Type is 0x0B ... received message: type = 22, ver = 0302, length = 331 Message Type is 0x0C ... received message: type = 22, ver = 0302, length = 4 Message Type is 0x0E Server sent server hello done Server TLS version was 1.2 Sending heartbeat request... No heartbeat response received from amosk.info, server likely not vulnerable