cve-2014-0160_什么是Heartbleed漏洞Bug CVE-2014-0160？

cve-2014-0160

A bug named Heartbleed has been recently discovered which is a serious encryption flaw and can be exploited to steal private data of users.

最近发现了一个名为Heartbleed的漏洞，它是一个严重的加密漏洞，可以用来窃取用户的私人数据。

It is said to be affecting almost two-third of web servers and can be considered nothing short of catastrophic from a security perspective. According to the stats provided by Netcraft, the Apache and Nginx web server software uses the OpenSSL which has the bug which comprises of an active market share of over 66%. However, not all of these servers are running the vulnerable version of the cryptographic software.

据说它影响了将近三分之二的Web服务器，从安全角度来看，这无疑是灾难性的。 根据Netcraft提供的统计数据 ，Apache和Nginx Web服务器软件使用的是OpenSSL，该漏洞的活跃市场份额超过66％。 但是，并非所有这些服务器都运行有漏洞的加密软件版本。

What exactly is the Heartbleed bug?

Heartbleed错误到底是什么？

Websites use encryption for protecting their data usually in the form of SSL certificates. Open SSL is the open source cryptographic library which millions of websites rely on. When you see a padlock in your browser you assume the website is secure but considering this vulnerability this may not be the case, and for up to 2 years into the past.

网站通常以SSL证书的形式使用加密来保护其数据。 Open SSL是数百万个网站依赖的开源密码库。 当您在浏览器中看到挂锁时，您认为该网站是安全的，但考虑到此漏洞，情况可能并非如此，并且存在时间长达两年之久。

The Heartbleed bug is vulnerability in the OpenSSL 1.0.1 version which uses the heartbeat functionality (which is now being exploited). CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names.

Heartbleed错误是OpenSSL 1.0.1版本中的一个漏洞，该版本使用心跳功能(现已被利用)。 CVE-2014-0160是对此错误的正式引用。 CVE(常见漏洞和披露)是信息安全漏洞名称的标准。

Technically speaking, the bug is in the TLS/ DTLS (Transport Layer Security) Protocol’s heartbeat extension which is implemented by OpenSSL. It is not a design flaw but an implementation problem.

从技术上讲，该错误位于TLS / DTLS(传输层安全性)协议的心跳扩展中，该扩展由OpenSSL实现。 这不是设计缺陷，而是实现问题。

How can we protect ourselves?

我们如何保护自己？

OpenSSL’s security advisory states that only versions 1.0.1 and 1.0.2-beta are affected, including 1.0.1f and 1.0.2-beta1. The vulnerability has been fixed in OpenSSL 1.0.1g, and users who are unable to upgrade immediately can disable heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

OpenSSL的安全公告指出，仅1.0.1和1.0.2-beta版本受到影响，包括1.0.1f和1.0.2-beta1。 该漏洞已在OpenSSL 1.0.1g中修复，无法立即升级的用户可以通过使用-DOPENSSL_NO_HEARTBEATS标志重新编译OpenSSL来禁用心跳支持。

Is eUKhost safe from this?

eUKhost对此安全吗？

All the servers which had the vulnerable version have been patched with the latest version of the OpenSSL 1.0.1g version.

所有具有易受攻击版本的服务器均已使用最新版本的OpenSSL 1.0.1g版本进行了修补 。

Customers can use this free SSL Configuration Checker tool to test their websites for the Heartbleed vulnerability.

客户可以使用此免费的SSL Configuration Checker工具来测试其网站的Heartbleed漏洞。

We would also recommend that you change your billing password and the cPanel/WHM password for better security.

我们也建议您更改帐单密码和cPanel / WHM密码，以提高安全性。

We have made the necessary upgrades to our servers and all cPanel shared hosting servers are safe from this vulnerability. However, Dedicated Server and VPS customers must take immediate action to update to OpenSSL 1.0.1g to fix this.

我们已经对我们的服务器进行了必要的升级，所有cPanel共享托管服务器都可以免受此漏洞的影响。 但是， 专用服务器和VPS客户必须立即采取措施以更新到OpenSSL 1.0.1g，以解决此问题。

If you feel your website might be affected and need assistance with fixing this then you can raise a support ticket where one of our senior technicians will apply the patch for you. You can get continuous updates about this and participate in our HeartBleed forum discussion for more information.

如果您认为您的网站可能受到影响并需要协助以解决此问题，则可以提出支持请求，我们的一位高级技术人员将为您应用补丁。 您可以获取有关此内容的连续更新，并参与我们的HeartBleed论坛讨论以获取更多信息。

翻译自: https://www.eukhost.com/blog/webhosting/what-is-heartbleed-vulnerability-bug-cve-2014-0160/

cve-2014-0160