EntityQ16244272· pop 40· linked from 330 articles

Heartbleed

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer

Key facts

Bug.name: Heartbleed
Bug.image: 180px
Bug.caption: Logo representing Heartbleed. Awareness and media coverage of Heartbleed was unusually high for a software bug.
Bug.CVE: CVE-2014-0160
Bug.CVSS: Base: 7.5 HIGH, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Bug.affected software: OpenSSL (1.0.1)

via Wikipedia infobox

Article

23 sections

Contents

History
Discovery
Bugfix and deployment
Certificate renewal and revocation
Exploitation
Possible prior knowledge and exploitation
Behavior
Affected OpenSSL installations
Vulnerable program and function
Patch
Impact
Client-side vulnerability
Specific systems affected
Websites and other online services
Software applications
Operating systems/firmware
Vulnerability testing services
Remediation
Browser security certificate revocation awareness
Root causes, possible lessons, and reactions
References
Bibliography
External links

Heartbleed was registered in the Common Vulnerabilities and Exposures database as . A fixed version of OpenSSL was released on 7 April 2014, on the same day Heartbleed was publicly disclosed.