Blog: Heartbleed

Heartbleed OpenSSL bug- overview and fixes

Joe Bursell 08 Apr 2014

If you’re running OpenSSL you should review your version and decide if you need to upgrade to 1.0.1g ASAP.

Researchers have found a bug that allowed them to steal the secret keys used for certificates, user names, passwords, IMs, email and other business critical data. Named Heartbleed, this TLS stack bug allows attackers to read up to 64KB of memory.

The upgrade advisory makes it clear that not all versions are affected:

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

If in any doubt you should check your URLs for yourself here http://filippo.io/Heartbleed/.

There is a full write-up here http://heartbleed.com/ and the original advisory can be found here https://www.openssl.org/news/secadv_20140407.txt.