312-50V10 · Question #117
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library? This weakness allows stealing the information protected, under normal conditions, by the SSL/TL
The correct answer is C. Heartbleed Bug. Heartbleed is a critical buffer over-read vulnerability in OpenSSL's TLS heartbeat extension that allowed attackers to read server memory and steal sensitive data including private keys and passwords.
Question
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library? This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
Options
- ASSL/TLS Renegotiation Vulnerability
- BShellshock
- CHeartbleed Bug
- DPOODLE
How the community answered
(36 responses)- A3% (1)
- B3% (1)
- C94% (34)
Why each option
Heartbleed is a critical buffer over-read vulnerability in OpenSSL's TLS heartbeat extension that allowed attackers to read server memory and steal sensitive data including private keys and passwords.
The SSL/TLS Renegotiation Vulnerability (CVE-2009-3555) is a different OpenSSL flaw that allows attackers to inject plaintext into renegotiated sessions, not steal memory contents.
Shellshock is a vulnerability in the GNU Bash shell that allows arbitrary command execution via crafted environment variables, and is unrelated to the OpenSSL library.
The Heartbleed Bug (CVE-2014-0160) is a flaw in OpenSSL's implementation of the TLS/DTLS heartbeat extension. A malformed heartbeat request could trick a vulnerable server into returning up to 64KB of its own memory, exposing private keys, session tokens, passwords, and other protected data without any authentication required.
POODLE (Padding Oracle On Downgraded Legacy Encryption) targets the SSL 3.0 protocol's CBC padding scheme and is not a flaw within the OpenSSL library's heartbeat implementation.
Concept tested: Heartbleed OpenSSL heartbeat extension vulnerability
Source: https://nvd.nist.gov/vuln/detail/CVE-2014-0160
Topics
Community Discussion
No community discussion yet for this question.