Fixed version: OpenSSL 1.0.1g
Vulnerable versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
Bug introduced on December 2011, but published on 14th March 2012.
Discovered by Neel Mehta of Google Security and Riku, Antti and Matti from Codenomicon.
The bug allows a remote user to get 64k of random memory from the server. Doing continuous requests, a dump of the memory can be obtained, disclosing all kind of information, including passwords and private keys. The attack doesn’t leave any kind of trace.
openssl s_client -connect google\.com:443 -tlsextdebug 2>&1| grep ‘server extension “heartbeat” (id=15)’ || echo safe
Heartbleed can also be exploded to get information of the clients from a malicious server