"This vulnerability can be remotely exploited to leak encryption secrets from Heroku applications, allowing an attacker to retrieve the private key used for SSL encryption and decode data obtained by intercepting traffic"
Does anyone know if this is "actually" true?. By looking at the bug it seems you can dump up to 64 bytes at a time from the stack. Given that the attacker doesn't control were from the stack at all and looking at the code the top of the stack is probably holding some random structure, is it really possible for the attacker to retrieve the private key?
I just want to be sure before spending a bunch of money to replace re-issue all certs.
It has been repedately demonstrated that it is possible to get private key from the server using this vulnerability, as well as user login details. You don't have only one shot - you can query the server multiple times (and every time you will receive slightly different data) until you have everything you want. So yeah, the issue was/is very serious.
See this post for a trivial example of session theft from JIRA [1]. You may not get the memory chunk you want the first time, but you can repeat it until you do.
It's from somewhere on the heap not the stack. You can influence where on the heap the data comes from by adjusting the size of your request, amongst other tricks.
Does anyone know if this is "actually" true?. By looking at the bug it seems you can dump up to 64 bytes at a time from the stack. Given that the attacker doesn't control were from the stack at all and looking at the code the top of the stack is probably holding some random structure, is it really possible for the attacker to retrieve the private key?
I just want to be sure before spending a bunch of money to replace re-issue all certs.