KB Article #175976

Heartbleed OpenSSL Vulnerability (CVE-2014-0160) not affecting any Messaging (XMS) release

Problem


Package: OpenSSL

CVE ID:  CVE-2014-0160


A vulnerability has been discovered in the TLS/DTLS Hearbeat extension for OpenSSL. Some memory from either client or server can be recovered by an attacker which may allow them to compromise encrypted private data from memory including the private key.


What versions of the OpenSSL are affected?

 

Status of different versions:

 

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

OpenSSL 1.0.1g is NOT vulnerable

OpenSSL 1.0.0 branch is NOT vulnerable

OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

 

More information on this vulnerability can be found here:


http://heartbleed.com/

https://www.openssl.org/news/secadv_20140407.txt


Resolution

* Messaging (XMS) is not affected at all.
* Messaging is using OpenSSL 0.9.8e and is not vulnerable.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.