312-50V9 · Question #335
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TL
The correct answer is A. Heartbleed Bug. Heartbleed is a critical flaw in OpenSSL's heartbeat extension that lets attackers read server memory and steal data protected by SSL/TLS encryption.
Question
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
Options
- AHeartbleed Bug
- BPOODLE
- CSSL/TLS Renegotiation Vulnerability
- DShellshock
How the community answered
(47 responses)- A87% (41)
- B9% (4)
- C2% (1)
- D2% (1)
Why each option
Heartbleed is a critical flaw in OpenSSL's heartbeat extension that lets attackers read server memory and steal data protected by SSL/TLS encryption.
The Heartbleed Bug (CVE-2014-0160) is a vulnerability in OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows an attacker to read up to 64KB of arbitrary server memory per request. This exposes private keys, session tokens, and plaintext credentials without authentication or any trace in server logs.
POODLE (Padding Oracle On Downgraded Legacy Encryption) exploits a weakness in SSL 3.0 CBC padding to decrypt ciphertext, which is a protocol-level attack unrelated to the OpenSSL heartbeat implementation.
The SSL/TLS Renegotiation Vulnerability (CVE-2009-3555) allows attackers to inject plaintext into an established encrypted session during renegotiation, which is a separate protocol flaw with no connection to OpenSSL's heartbeat extension.
Shellshock (CVE-2014-6271) is a remote code execution vulnerability in the GNU Bash shell that allows arbitrary command injection via environment variables, and is not related to OpenSSL or cryptographic libraries.
Concept tested: Heartbleed OpenSSL heartbeat vulnerability identification
Source: https://nvd.nist.gov/vuln/detail/CVE-2014-0160
Topics
Community Discussion
No community discussion yet for this question.