Is this a design flaw in SSL/TLS protocol specification?
Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously. However this bug has left large amount of private keys and other secrets exposed to the Internet. What makes the Heartbleed Bug unique?īugs in single software or library come and go and are fixed by new versions. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. Why it is called the Heartbleed Bug?īug is in the OpenSSL's implementation of the TLS/DTLS ( transport layer security protocols) heartbeat extension (RFC6520).
Due to co-incident discovery a duplicate CVE, CVE-2014-0346, which was assigned to us, should not be used, since others independently went public with the CVE-2014-0160 identifier. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE.
CVE-2014-0160 is the official reference to this bug.
