A vulnerability exists in outdated version of OpenSSL which allows an attacker to cause the server to disclose up to 64kb of server memory contents. This can cause secret keys, authentication tokens, usernames and passwords to be compromised. This can lead to an attacker being able to impersonate users and decrypt data transferred between a user and the server.

It can allow an attacker to decrypt data that was sent to a user in the past, not only data that is currently being sent to the user (such as data that is captured during a man-in-the-middle attack).

The issue is with the heartbeat extension to TLS/DTLS and allows an attacker to steal memory contents from both web servers but it also allows malicious web servers to steal data from the memory of users! A site which has previously been vulnerable to this issue should revoke the digital certificate in use at the time and reissue a new one with new keys.


Where possible update the version of OpenSSL used, as an alternative if updating is not possible there is the option to recompile the OpenSSL installation with the compile time option that removes the heartbeat functionality – DOPENSSL_NO_HEARTBEATS.


OpenSSL versions 1.0.1 to 1.0.1f (inclusive) are vulnerable