By Eric P. Maurice-Oracle on Apr 18, 2014
Hi, this is Eric Maurice.
Oracle just released Security Alert CVE-2014-0160 to address the publicly disclosed ‘Heartbleed’ vulnerability which affects a number of versions of the OpenSSL library. Due to the severity of this vulnerability, and the fact that active exploitation of this vulnerability is reported “in the wild,” Oracle recommends that customers of affected Oracle products apply the necessary patches as soon as they are released by Oracle.
The CVSS Base Score for this vulnerability is 5.0. This relative low score denotes the difficulty in coming up with a system that can rate the severity of all types of vulnerabilities, including the ones that constitute blended threat.
It is easy to exploit vulnerability CVE-2014-0160 with relative impunity as it is remotely exploitable without authentication over the Internet. However a successful exploit can only result in compromising the confidentiality of some of the data contained in the targeted systems. An active exploitation of the bug allows the malicious perpetrator to read the memory of the targeted system on which resides the vulnerable versions of the OpenSSL library. The vulnerability, on its own, does not allow a compromise of the availability (e.g., denial of service attack) or integrity of the targeted system (e.g., deletion of sensitive log files).
Unfortunately, this vulnerability is very serious in that it is contained into a widely used security package, which enables the use of SSL/TLS, and the compromise of that memory can have serious follow-on consequences. According to http://heartbleed.com the compromised data may contain passwords, private keys, and other sensitive information. In some instances, this information could be used by a malicious perpetrator to decrypt private information that was sent months or years ago, or log into systems with stolen identity. As a result, this vulnerability creates very significant risks including unauthorized access to systems with full user rights.
For more information:
The Advisory for Security Alert CVE-2014-0160 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-2190703.html
The ‘OpenSSL Security Bug - Heartbleed / CVE-2014-0160’ page on OTN is located at http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
The ‘Heartbleed’ web site is located at http://www.heartbleed.com. Note that this site is not affiliated with Oracle.