Guest

Preview Tool

Cisco Bug: CSCuo30098 - Openflow Agent is vulnerable to CVE-2014-0160 - aka Heartbleed

Last Modified

Dec 13, 2019

Products (1)

  • Cisco Plug-in for OpenFlow

Known Affected Releases

2.0(0)

Description (partial)

Symptom:
The Cisco Plug-in for OpenFlow Agent includes a version of openssl that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID CVE-2014-0160.


The Cisco Plug-in for OpenFlow Agent  may expose up to 64KB of internal memory when connected to a malicious controller that makes use of the "heartbleed" vulnerability in OpenSSL, by sending a specially crafted Heartbeat Extension Request message.

Conditions:
The malicious entity must be able to impersonate the trusted controller, including providing suitable authentication credentials that validate correctly during the TLS Handshake.  In the case of the OpenFlow Agent, which acts only as a TLS client, initiating the connection, the malicious HeartBeat request can only be sent after the server has successfully authenticated itself.  This restricted use of TLS greatly reduces the exposure of the OpenFlow Agent to this vulnerability.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.