Understanding the Heartbleed Vulnerability
What is the Heartbleed vulnerability?
The Heartbleed vulnerability is a coding error in the OpenSSL library. Without any privileged information or credentials, an attacker is able to copy keys and certificates from impacted web servers by abusing the TLS heartbeat extension.
What is the impact?
Over 66% of the world’s websites run Apache and NGINX with OpenSSL as the default. This figure does not include web servers behind firewalls. Any attacker can copy the keys and certificates from any of the impacted web servers without any trace.
OpenSSL is not only used on web servers. The Heartbleed vulnerability also affects email servers, chat servers, VPN’s, network appliance and client software.
What versions of OpenSSL does the Heartbleed vulnerability affect?
All software solutions utilizing the OpenSSL library version 1.0.1 through 1.0.1f are susceptible to the Heartbleed vulnerability.
How long has the Heartbleed vulnerability been in the wild?
The Heartbleed vulnerability has been in the wild since 2011 when it was introduced in version 1.0.1.