On 7 Apr 2014 the OpenSSL project disclosed CVE-2014-0160, a very serious security flaw in an OpenSSL library often referred to as the “Heartbleed” bug. This flaw is present in OpenSSL versions 1.0.1 and 1.0.2-beta (including 1.0.1f and 1.0.2-beta1).

Since NTP can be linked against the OpenSSL libraries, we’ve been asked if this vulnerability is a potential issue for NTP.

If NTP is linked against the OpenSSL libraries, the only use of them is to provide digital key and signature support. Since the vulnerabilities of CVE-2014-0160 are in parts of the OpenSSL libraries that are not used by NTP, NTP is NOT at risk from CVE-2014-0160.

Harlan Stenn
NTP Project
Network Time Foundation