This advisory applies to all Yealink products using OpenSSL from version 1.0.1 to 1.01f. Notice supplied by Yealink UK on Weds 23rd June.
Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability results from a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.
Through the vulnerability in OpenSSL versions from 1.0.1 to 1.0.1f, an attacker can capture memory from the host 64k at a time. The attacker can therefore possibly capture desired data such as the server’s private key, or a user’s password. This exploit is consistent with CVE: 2014-0160.
We have carefully inspected all versions of our products, and are pleased to announce that Yealink products are not affected by the Heartbleed OpenSSL vulnerability. We will update users if there are any changes in the future.