OpenSSL Heartbeat, a critical vulnerability

OpenSSL Heartbeat, a critical vulnerability

Back to CIRCL Newsroom - Press Release

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Luxembourg, April 8, 2014 - CIRCL has just released an alert regarding the vulnerability of the OpenSSL software to memory leakage to the connected client or server. In other words, anyone can remotely retrieve sensitive information (i.e. secret keys, passwords, confidential documents) from the memory of the remote servers without leaving any traces.

Sascha Rommelfangen from CIRCL, states, “This is a critical vulnerability and you must patch your OpenSSL software as soon as possible. After patching, all sensitive information would still need to be evaluated, more especially private keys and credentials. We recommend at least to regenerate the X.509 key materials”.

OpenSSL is a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption, largely used in critical web servers. The OpenSSL versions 1.0.1 and 1.0.2-beta releases are affected by this vulnerability including 1.0.1f and 1.0.2-beta1. It is important to note that prior versions are not vulnerable to this vulnerability.

To get all major updates and status hour by hour, please refer directly to our website: http://www.circl.lu/pub/tr-21/, and to our twitter page: [https://twitter.com/circl_lu/status/453476440055775232](https://twitter.com/circl_lu/status/453476440055775232].