Cloud FoundryCFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940CVE-2014-0160 Heartbleed | Cloud Foundry
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%
CVE-2014-0160 Heartbleed
Critical
Vendor
Versions Affected
- 1.0.1 through 1.0.1f
Description
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
Affected VMware Products and Versions
_Severity is critical unless otherwise noted.
_
- vFabric Web Server 5.0.x, 5.1.x, 5.2.x, 5.3.x
- vFabric GemFire Native Client 7.0.0.X, 7.0.1.X
- VMware GemFire Native Client 7.0.2.X
- VMware Command Center 2.0.x, 2.1.x
- VMware App Suite Virtual Appliance 1.0.1.3
Mitigation
Users of affected versions should apply the following mitigation:
- vFabric Web Server users (all versions) should apply the patch including version 1.0.1g of OpenSSL per the instructions posted here as soon as possible.
- GemFire Native Client 7.0.X users should immediately upgrade to OpenSSL 1.0.1g or later or recompile their existing OpenSSL 1.0.1 installations with the –DOPENSSL_NO_HEARTBEATS option. See CVE-2014-0160-GemFire-Native-Client for more information.
- Please see this doc for VMware Command Center.
- VMware App Suite Virtual Appliance 1.0.1.3 users should upgrade to version 1.0.1.5 as soon as possible.
Credit
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. The Codenomicon team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon’s Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to the OpenSSL team.
References
- <https://vulners.com/cve/CVE-2014-0160>
- <http://www.openssl.org/news/vulnerabilities.html>
- <http://www.kb.cert.org/vuls/id/720951>
- <http://heartbleed.com/>
- <https://access.redhat.com/site/solutions/781793>
History
2014-Apr-7: Initial vulnerability report published.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%