››

CVE-2014-0160 Tellabs OLAN and Heartbleed Vulnerability Statement

Introduction

Document Number

ENG-010404

Response Date

05/01/2014

Recently there has been a lot of news about a new vulnerability in the OpenSSL toolkit. This Application Note explains why Tellabs Equipment is NOT affected by the Heartbleed vulnerability.

Applies To

This AppNote applies to all Tellabs Optical LAN equipment.

Heartbleed Vulnerability Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

References

Heartbleed Vulnerability Response

The Heartbleed Vulnerability is a problem within the OpenSSL toolkit that allows a hacker to reveal up to 64k of ram memory on a connected client or server. The vulnerability ONLY applies to 1.0.1 and 1.0.2-beta releases of OpenSSL including1.0.1f and 1.0.2-beta1. The bug was introduced into the code base approximately two years ago, into the 1.0 code base.

The Tellabs is currently using the 0.9.8 release branch which is not vulnerable to this security flaw as it was introduced after this code branch. This version of OpenSSL is still an approved version and has been validated to the FIPS 140-2 certification process.

Summary

Tellabs OLAN products are not vulnerable to the Heartbleed OpenSSL vulnerability and can continue to be used without modification.

FEEDBACK: Are you happy with this material?

Thank you Your feedback helps us to continually improve our content.

On this page

Introduction
Heartbleed Vulnerability Description
Heartbleed Vulnerability Response
Summary