Cisco Bug: CSCuo30098 - Openflow Agent is vulnerable to CVE-2014-0160 - aka Heartbleed
Dec 13, 2019
- Cisco Plug-in for OpenFlow
Known Affected Releases
Symptom: The Cisco Plug-in for OpenFlow Agent includes a version of openssl that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160. The Cisco Plug-in for OpenFlow Agent may expose up to 64KB of internal memory when connected to a malicious controller that makes use of the "heartbleed" vulnerability in OpenSSL, by sending a specially crafted Heartbeat Extension Request message. Conditions: The malicious entity must be able to impersonate the trusted controller, including providing suitable authentication credentials that validate correctly during the TLS Handshake. In the case of the OpenFlow Agent, which acts only as a TLS client, initiating the connection, the malicious HeartBeat request can only be sent after the server has successfully authenticated itself. This restricted use of TLS greatly reduces the exposure of the OpenFlow Agent to this vulnerability.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases