A critical vulnerability was recenty found in OpenSSL. Due to a missing bounds check in the handling of the TLS heartbeat extension, 64K of memory can be revealed to a connected client or server. Only OpenSSL versions 1.0.1-1.0.1f, 1.0.2-beta and 1.0.2- beta1 are affected.
A remote attacker can exploit the vulnerability by sending a malformed heartbeat request with a payload size bigger than the actual request; and in response, the vulnerable server would return a heartbeat response that contains a memory block of up to 64KB in the payload. This memory block may reveal potentially confidential information, including SSL certificate user passwords and more.
An attacker cannot control what memory block the server returns, but by performing multiple requests, some critical data might be leaked.