edit-icon download-icon

[Vulnerability notice] CVE-2014-0160: "Heartbleed" vulnerability in OpenSSL

Last Updated: Apr 02, 2018

On April 7, 2014, OpenSSL released a security publication, announcing a critical vulnerability found in OpenSSL1.0.1 and OpenSSL 1.0.2 Beta1. OpenSSL does not correctly check the lengths of parameters entered by users. Attackers can exploit this vulnerability to remotely read 64 KB data from the memory of the vulnerable OpenSSL server with every heartbeat, thereby obtaining private information such as user names, passwords, personal information, and server credentials.

See the following for more information about the vulnerability.


CVE identifier

CVE-2014-0160

Vulnerability name

OpenSSL “Heartbleed” vulnerability

Vulnerability rating

High

Vulnerability description

The OpenSSL “Heartbleed” vulnerability allows attackers to read up to 64 KB data from the memory with every heartbeat, resulting in information leakage.

Attackers can exploit the vulnerability to obtain sensitive data, including sessions, cookies, and account passwords.

How to fix or mitigate

  1. Upgrade ECS OpenSSL.

  2. Restart Web services. Run the following commands to restart Apache, Nginx, and Httpd:

    1. /etc/init.d/apache2 restart
    2. /etc/init.d/ngnix restart
    3. /etc/init.d/httpd restart
  3. Run the following command to view services related to the OpenSSL library and restart them:

    1. lsof | grep libssl | awk ‘{print $1}’| sort | uniq
Thank you! We've received your feedback.