A company created an external, PHP-based web application for its customers. A security researcher reports that the application has the Heartbleed vulnerability.
Which of the following would BEST resolve and mitigate the issue? (Choose two.)
A company created an external, PHP-based web application for its customers. A security researcher reports that the application has the Heartbleed vulnerability.
Which of the following would BEST resolve and mitigate the issue? (Choose two.)
The Heartbleed vulnerability is a flaw in certain versions of the OpenSSL library, which makes updating the OpenSSL library to a non-vulnerable version the primary and most direct solution. Additionally, deploying a Web Application Firewall (WAF) signature can help mitigate the risk by detecting and blocking attempts to exploit the Heartbleed vulnerability, providing an additional layer of security until the underlying issue is fully resolved.
B. Fixing the PHP code: The Heartbleed vulnerability is a flaw in the OpenSSL library, which is a widely used open-source implementation of the SSL and TLS protocols. To fix the vulnerability, the PHP code should be updated to use a version of the OpenSSL library that is not vulnerable to Heartbleed. F. Updating the OpenSSL library: In addition to updating the PHP code to use a fixed version of the OpenSSL library, it is important to update the OpenSSL library itself to a version that is not vulnerable to Heartbleed.
B.F. Heartbleed, BASH and now POODLE - new SSL vulnerability discovered. Researchers from Google have announced the discovery of another major flaw in Web Security. It has been called POODLE and follows hot on the heels of Bash and Heartbleed. The vulnerability is rooted in SSL v3.
Know your code First, managing open source software components is critically important for application security. While using open source components is a practical and fruitful strategy for application developers, those components do have to be managed properly. You have to know which components you’ve used in your applications, and you must be aware of any known vulnerabilities in those components. When new vulnerabilities are published about the software components you’ve used, you need to know right away so you can take action if necessary. (Likewise, you should know the software licenses of those components to ensure you are not using something improperly, but that is not the focus of this article.) A software composition analysis (SCA) solution like Black Duck automates much of this work. https://www.synopsys.com/blogs/software-security/heartbleed-vulnerability-appsec-deep-dive/
https://www.leviathansecurity.com/media/leviathans-mandatory-heartbleed-blog-entry "Now that the vulnerability has become public, IDS vendors have put out signatures to detect overly-large TLS Heartbeat Response packets. Some IPS and WAF implementations will block all incoming TLS Heartbeat requests and close the connection."
Without a doubt
BF for me. SSL3.0 is deprecated. https://disablessl3.com/
Read up on the heartbleed vuln. it has nothing to do with PHP its all with openSSL. I swear people put the wrong answers to mess with people.
I don't think "B. Fixing PHP code" is correct. They are talking about Heartbleed vulnerability. Heartbleed has nothing to do with PHP. Change PHP won't do anything. I will go with A and F instead.
I don't think "B. Fixing PHP code" is correct. They are talking about Heartbleed vulnerability. Heartbleed has nothing to do with PHP. Change PHP won't do anything. I will go with A and F instead.
B. Fixing the PHP code: The Heartbleed vulnerability is a flaw in the OpenSSL cryptographic software library that can allow an attacker to steal sensitive information such as passwords, usernames, and credit card numbers from the memory of the affected system. To fix the issue, the PHP code needs to be reviewed and fixed to ensure that it is not vulnerable to the Heartbleed bug. F. Updating the OpenSSL library: The Heartbleed vulnerability is a flaw in the OpenSSL cryptographic software library. To fix the issue, the version of OpenSSL used by the web server should be updated to a version that does not have the Heartbleed bug. This will ensure that the web application is not vulnerable to attacks exploiting the Heartbleed bug.
BF is the correct answer
F. Updating the OpenSSL library: Reason: The Heartbleed vulnerability is a flaw in certain versions of the OpenSSL library. Updating to a version of OpenSSL that is not affected by this vulnerability (e.g., 1.0.1g or later) directly addresses the issue by removing the vulnerability. Impact: This is the most critical step to ensure that your web server is no longer vulnerable to Heartbleed. A. Deploying a WAF signature: Reason: Deploying a Web Application Firewall (WAF) with a specific signature to detect and block Heartbleed exploitation attempts adds an additional layer of security. This measure helps protect your system from attacks targeting the vulnerability until the underlying issue is fully resolved by updating OpenSSL. Impact: This provides immediate protection against exploitation attempts and helps mitigate the risk until the update can be applied.
The Heartbleed vulnerability is related to OpenSSL, not PHP. Changing the PHP code will not address the vulnerability because it exists in the OpenSSL library used by the web server
Waf and open ssl
The people saying fixing the PHP code won't fix it are wrong. Do not listen to them.
Using SSLv3 SSLv3 was created, and, together with the newer TLSv1/1.1/1.2, it is still currently being used to secure the transport layer of the Internet. As it happened for SSLv2, recently Google engineers pointed out that SSLv3 is broken (with an exploitation technique known as POODLE) and should not be used any longer.
F. Updating the OpenSSL library: This is the primary and most direct solution. A. Deploying a WAF (Web Application Firewall) signature: While updating OpenSSL is the primary solution, deploying a WAF that recognizes and blocks Heartbleed attack attempts can serve as a defensive measure
I haven't seen any evidence that rewriting an application can avoid the Heartbleed vulnerability. Please post a link if you have one. What I have seen is that F - recompiling/updating the OpenSSL library and D - SSLv3 will remediate Heartbleed. Of course, you're still susceptible to POODLE but the question doesn't care about that.
Know your code First, managing open source software components is critically important for application security. While using open source components is a practical and fruitful strategy for application developers, those components do have to be managed properly. You have to know which components you’ve used in your applications, and you must be aware of any known vulnerabilities in those components. When new vulnerabilities are published about the software components you’ve used, you need to know right away so you can take action if necessary. (Likewise, you should know the software licenses of those components to ensure you are not using something improperly, but that is not the focus of this article.) A software composition analysis (SCA) solution like Black Duck automates much of this work. https://www.synopsys.com/blogs/software-security/heartbleed-vulnerability-appsec-deep-dive/