Home > Documents > Security Alerts > 2014 > [Updated] Vulnerability in OpenSSL

[Updated] Vulnerability in OpenSSL

                                            2014-04-08 (First edition)
                                                  2014-04-11 (Updated)

                  <<< JPCERT/CC Alert 2014-04-08 >>>>

                  [Updated] Vulnerability in OpenSSL


I. Overview

 The heartbeat extension of OpenSSL provided by the OpenSSL Project
contains a vulnerability. As a result, a remote third party may gain
access to information from memory inside the system and retrieve
sensitive information such as private keys by sending a crafted packet.

 For systems using affected versions of OpenSSL, it is recommended to
update to a version provided by OpenSSL Project that has this 
vulnerability addressed.

  OpenSSL Project
  OpenSSL Security Advisory [07 Apr 2014] - TLS heartbeat read overrun (CVE-2014-0160)

*** Update: Revised on April 11, 2014 *********************************
  Exploit code for this vulnerability is publicly available. According
to information provided by National Police Agency (NPA),
network traffic leveraging this vulnerability have been observed.
Therefore, please consider of applying the solution mentioned in
"III. Solution".

II. Affected Products

 The following versions are affected by this vulnerability:

  - OpenSSL 1.0.1 through 1.0.1f
  - OpenSSL 1.0.2-beta through 1.0.2-beta1

*** Update: Revised on April 11, 2014 *********************************
 Software products that support OpenSSL may also be affected.
Please refer to the information provided by the developers of the
Software products.

III. Solution

  OpenSSL Project has released a version addressing this 
vulnerability. It is recommended to update to this latest version,
after thorough testing. For OpenSSL 1.0.2-beta, versions addressing
this vulnerability have yet to be released (as of April 8, 2014).

 Updated version
  - OpenSSL 1.0.1g


 If the update cannot be applied for an extended period of time, please
consider the following workaround.

 - turn on -DOPENSSL_NO_HEARTBEATS option and recompile OpenSSL

 If the system is using OpenSSL provided by a distributor, please refer
to the information provided by the distributor.

    USN-2165-1: OpenSSL vulnerabilities

    Important: openssl security update

    Debian Security Advisory DSA-2896-1 openssl -- security update

*** Update: Revised on April 11, 2014 *********************************
 If your system is using OpenSSL affected by this vulnerability,
sensitive information such as private keys and account information may
already have leaked. With the assumption that an attacker has already
used this vulnerability to obtain those sensitive information, please
consider of taking measures such as generating new private keys and
issuing new server certificates.

IV. References

  OpenSSL 'Heartbleed' vulnerability (Japanese)

*** Update: Revised on April 11, 2014 *********************************
  CERT/CC Vulnerability Note VU#720951
  OpenSSL heartbeat information disclosure

  Information-technology Promotion Agency, Japan (IPA)
  Measures on OpenSSL Vulnerability (CVE-2014-0160) (Japanese)

  National Police Agency @Police
  Increase in Network Access Targeting Vulnerability of OpenSSL (Japanese)

  If you have any information regarding this alert, please contact

Revision History
2014-04-08 First edition
2014-04-11 Updated "I. Overview", "II. Affected Products",
           "III. Solution" and "IV. References"

JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602