OpenSSL Heartbleed Vulnerability

Number: AL14-005
Date: 11 April 2014


The purpose of this Alert is to bring attention to a vulnerability in OpenSSL which can be used to expose private data to an attacker.


CCIRC is aware of a recently disclosed vulnerability in the heartbeat protocol implementation of the Transport Layer Security (TLS) and Datagram TLS (DTLS) of OpenSSL. This vulnerability could be remotely exploited by attackers, without user interaction, to repeatedly intercept and access secure traffic resulting in potential exposure of credentials, including passwords, and secret encryption keys. This flaw allows an attacker to retrieve private data in memory from vulnerable applications in chunks of 64 kb at a time. An attacker can leverage this vulnerability repeatedly as required to obtain the private data.

CVE Reference: CVE-2014-0160

Affected versions: OpenSSL versions from 1.0.1 to 1.0.1f and 1.0.2-beta. The vulnerability has been fixed in OpenSSL 1.0.1g, but the 1.0.2-beta has not yet been patched.

Many vendors have begun to issue patches. Please consult your vendor's website for information addressing this vulnerability. Listed below is a portion of vendors that have disclosed the vulnerability. For the complete list, please use the following references:

Vulnerable Linux and BSD distributions include:

Red Hat Enterprise Linux 6.5 (OpenSSL 1.0.1e)
Debian Wheezy (fixed in version 1.0.1e-2+deb7u5)
Ubuntu 12.04 LTS, 13.04 and 13.10
Gentoo Linux Slackware 14.0, 14.1 and current
OpenBSD 5.3 ja 5.4
FreeBSD, versions 10.x
NetBSD, versions 6.1 - 6.1.3 ja 6.0 - 6.0.4
DragonflyBSD 3.6
Mandriva Business Server 1

Software using a vulnerable version of OpenSSL includes:

Cisco AnyConnect Secure Mobility Client for iOS
Cisco Desktop Collaboration Experience DX650 C
isco Unified 7800 series IP Phones
Cisco Unified 8961 IP Phone
Cisco Unified 9951 IP Phone
Cisco Unified 9971 IP Phone
Cisco TelePresence Video Communication Server (VCS)
Cisco IOS XECisco UCS B-Series (Blade) Servers
Cisco UCS C-Series (Stand alone Rack) Servers
Cisco Unified Communication Manager (UCM) 10.0
FortiGate FortiOS 5.0.5 ja 5.0.6
Junos OS 13.3R1
Juniper Odyssey client 5.6r5 and newer
Juniper SSL VPN (IVEOS) 7.4r1 and newer
Juniper SSL VPN (IVEOS) 8.0r1 and newer
Juniper UAC 4.4r1 and newer
Juniper UAC 5.0r1 and newer
Juniper Junos Pulse (Desktop) 5.0r1 and newer
Juniper Junos Pulse (Desktop) 4.0r5 and newer
Juniper Network Connect (windows) versions 7.4R5 - 7.4R9.1 & 8.0R1 to 8.0R3.1
Juniper Junos Pulse (Mobile) on Android 4.2R1 and newer
Juniper Junos Pulse (Mobile) on iOS 4.2R1
F5 BIG-IP LTM versions 11.5.0 - 11.5.1
F5 BIG-IP AAM versions 11.5.0 - 11.5.1
F5 BIG-IP AFM versions 11.5.0 - 11.5.1
F5 BIG-IP Analytics versions 11.5.0 - 11.5.1
F5 BIG-IP APM versions 11.5.0 - 11.5.1
F5 BIG-IP ASM versions 11.5.0 - 11.5.1
F5 BIG-IP GTM versions 11.5.0 - 11.5.1
F5 BIG-IP Link Controller 11.5.0 - 11.5.1
F5 BIG-IP PEM versions 11.5.0 - 11.5.1
F5 BIG-IP PSM versions 11.5.0 - 11.5.1
F5 BIG-IP Edge Clients for Apple iOS versions 2.0.0 - 2.0.1 ja 1.0.5
F5 BIG-IP Edge Clients for Linux versions 7080 - 7101
F5 BIG-IP Edge Clients for MAC OS X versions 7080 - 7101 ja 6035 - 7071
F5 BIG-IP Edge Clients for Windows versions 7080 - 7101 ja 6035 - 7071
OpenVPN 2.3-rc2-I001 - 2.3.2-I003
Aruba ArubaOS versions 6.3.x, 6.4.x
Aruba ClearPass versions 6.1.x, 6.2.x, 6.3.x
Viscosity before version 1.4.8
WatchGuard XTM ja XCS before version 11.8.3 CSP
Blue Coat Content Analysis System versions -
Blue Coat Malware Analysis Appliance version 1.1.1
Blue Coat ProxyAV versions -
Blue Coat ProxySG versions -
Blue Coat SSL Visibility 3.7.0 Jolla Android 4.1.1

Suggested action

CCIRC recommends that system administrators test and deploy the vendor released updates to affected platforms accordingly.


CCIRC's AV14-017 OpenSSL Vulnerability

US-CERT Alert (TA14-098A) OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

ICS-CERT Alert on OpenSSL Vulnerability

NCSC-FI Advisory on OpenSSL

CERT-UK Heartbleed Bug

Canadian Anti-Fraud Centre

Public Safety's Get Cyber Safe,

The Heartbleed Bug <>

‘Heartbleed' Bug Exposes Passwords, Web Site Encryption Keys

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589

Date modified: