On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat.
The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially vulnerable secure data include the server's private master key,which enables attackers to break the encryption of the server's earlier eavesdropped communications and thereby implement a man-in-the-middle attack.
The vulnerability might also reveal unencrypted parts of other users' sensitive requests and responses, including session cookies and passwords, which might allow attackers to hijack the identity of another user of the service. At its disclosure, some 17% or half a million of the Internet's secure web servers certified by trusted authorities were believed to have been vulnerable to the attack.