A recently-discovered bug in OpenSSL’s implementation of the TLS Heartbeat Extension makes it possible for malicious attackers to potentially recover the private keys and sensitive data that should normally be secured by SSL/TLS. The vulnerability has been recorded as CVE-2014-0160.
The purpose of this note is not to gloat over a competing projects problems, as some others have done, but rather to inform our user base. The OpenSSL team and their supporters have done a good job on getting the bug fixed as well as informing their users. We want to be the first to note that secure coding is not for the faint of heart, because it is a specialized expertise. Building cryptography and the protocols on top of it is a difficult expertise to practice.
We want to assure our users and customers that CyaSSL and wolfSSL products are NOT affected by the Heartbleed bug in any way. We are a clean room implementation of SSL/TLS, and did not employ any of OpenSSL`s code base, which many others have done. We should also note that the bug is not a protocol level bug that effects all SSL/TLS implementations. This was a bug specific to OpenSSL’s implementation of the TLS Heartbeat Extension. This bug existed in OpenSSL for over two years, with vulnerable versions including OpenSSL 1.0.1 – 1.0.1f (inclusive).
Interested parties can learn more about this bug in OpenSSL at the following links:
http://heartbleed.com/
https://www.openssl.org/news/secadv_20140407.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
For additional information or questions about CyaSSL, please contact us at facts@wolfssl.com.