OpenSSL Heartbleed
Severity: Critical
Summary #
Invicti identified the OpenSSL Heartbleed vulnerability in the target web server.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
Impact #
An attacker can obtain information such as:
- Private keys.
- Information about the cookies.
- HTTP(S) headers.
- User credentials from the HTTP POST data.
Remediation #
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Classifications #
PCI v3.1-6.5.2; PCI v3.2-6.5.2; CAPEC-216; CWE-119; ISO27001-A.14.2.5; OWASP 2013-A6; OWASP 2017-A9
, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
Netsparker Security Insights #
- The Heartbleed Bug: How a Forgotten Bounds Check Broke the Internet
- Exposing the Public IPs of Tor Services Through SSL Certificates
- Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation
- Netsparker's Weekly Security Roundup 2018 – Week 02
- Netsparker Enterprise Updated with New Security Checks and Several Other Service Improvements
Helpful Use Cases #
Vulnerability Index
You can search and find all vulnerabilities
Select Category
OR
Search Vulnerability
Related Vulnerabilities
