← Incident Index
CivilizationalOpen Source Infrastructure·April 7, 2014Draft

OpenSSL Project: CVE-2014-0160 — Heartbleed buffer over-read in OpenSSL TLS heartbeat

A missing bounds check in OpenSSL's implementation of the TLS Heartbeat extension allowed remote attackers to read up to 64KB of process memory per request — exposing private keys, session tokens, and user credentials from any TLS-terminating server using affected OpenSSL versions.

Velocity Governance perspective· Sentinel-10 overlap: 3 of 4

3 of the 4 practices that failed in this incident are part of the Sentinel-10 — the engineering protocols Concordance flags as most degraded under AI-accelerated development.

This incident pre-dates today's AI-velocity surge. The thesis is that the same practices that failed here will fail faster under AI velocity if not actively governed. Read the Velocity Governance thesis →

Impact

Affected ~17% of internet-facing TLS web servers at peak
Regulatory action

Required reissuing TLS certificates across most of the public internet. Estimated cost of certificate rotation alone: hundreds of millions. Catalysed the Core Infrastructure Initiative funding model for OSS.

Root cause (from published RCA)

A missing bounds check in the TLS heartbeat extension processing allowed an attacker to specify a payload length larger than the actual data sent. The server would respond with the requested bytes from process memory, including data from prior connections. The vulnerability had existed in the codebase for two years before public disclosure.

Concordance protocols that map to this root cause

Click any protocol to see every other indexed incident where it failed.

Protocol 4.3Test Coverage· Testingsee all incidents →
Test coverage: bounds-check coverage on the heartbeat extension was insufficient — the bug existed for 2 years undetected.
Protocol 4.6Security Analysis· TestingSENTINELsee all incidents →
Security analysis: SAST tools at the time could detect bounds-check omissions in C; Heartbleed-class issues were known patterns. Security review did not catch this in the heartbeat patch.
Protocol 3.6Code Ownership· DevelopmentSENTINELsee all incidents →
Code ownership: at the time, OpenSSL had ~2 active maintainers for code that secured most of the internet — a structural under-resourcing of critical infrastructure.
Protocol 3.2PR Review Quality· DevelopmentSENTINELsee all incidents →
PR review quality: the original heartbeat patch (RFC 6520 implementation) merged with insufficient security review.

Primary sources

OpenSSL Security Advisory [07 Apr 2014]
OpenSSL Project · April 7, 2014
CVE-2014-0160
NIST NVD · April 7, 2014
Heartbleed Bug
Codenomicon · April 7, 2014

Related incidents

Other incidents that failed at least one of the same protocols.

xz utils (Tukaani Project)Mar 2024
CVE-2024-3094 — multi-year social-engineering attack inserts backdoor …
OktaOct 2023
Okta support-portal HAR file leak exposes 134 customer environments
Progress Software (MOVEit)May 2023
CVE-2023-34362 SQL injection in MOVEit Transfer leads to mass data the…
Apache Software Foundation (Log4j)Dec 2021
CVE-2021-44228 — JNDI injection in Log4j enables remote code execution
#cve#memory-disclosure#tls#open-source#maintainer-resource
Check your repo against these protocols.
Concordance scores any public GitHub repo against all 50 engineering protocols in 60 seconds. No signup, no install.
Run a free scan →
Concordance Incident Index entry · CC BY 4.0 · Methodology · Errata: hello@concordancelabs.com