Mitigations for OpenSSL TLS/DTLSHeartbeat Extension VulnerabilityA serious vulnerability (CVE-2014-0160) exists inOpenSSL’s implementation of the TLS/DTLS heartbeatextension. Exploitation of this vulnerability results ina leak of memory contents. Such exploitation maycompromise encryption keys, authentication keys, usercredentials, and other data from TLS/DTLS clients andservers. The affected versions of OpenSSL softwareare versions 1.0.1 through 1.0.1f. Versions prior to1.0.1 are unaffected and versions 1.0.1g and later haveLPSOHPHQWHGD¿[IRUWKHYXOQHUDELOLW\Mitigation Actions:Upgrade affected TLS/DTLS clients and serversto OpenSSL version 1.0.1g. Alternatively, affectedversions of OpenSSL may be recompiled with theoption “-DOPENSSL_NO_HEARTBEATS”.Numerous operating systems and client and serversoftware incorporate OpenSSL. If you use TLS/DTLSyou may be vulnerable depending on if OpenSSLis used within the software and depending on theversion of OpenSSL used. Contact your softwarevendor to determine whether your software isYXOQHUDEOHDQGLIVRIRUDQXSGDWHWKDW¿[HVWKHvulnerability.For any systems that are affected by thisvulnerability, use TLS/DTLS, and have exposure toInternet connectivity for potential exploitation of thisYXOQHUDELOLW\UHYRNHDQGUHLVVXHFHUWL¿FDWHVDQGother credentials utilized on those systems afterapplying the update.Contact InformationIndustry Inquiries: 410-854-6091USG/IC Client Advocates: 410-854-4790DoD/Military/COCOM Client Advocates: 410-854-4200General Inquiries: niasc@nsa.gov&RQ¿GHQFHLQ&\EHUVSDFHApril 2014MIT-007FS-2014