This Security Alert addresses CVE-2014-0160 ('Heartbleed'), a publicly disclosed vulnerability which affects multiple OpenSSL versions implemented by various vendors in their products. This vulnerability affects multiple Oracle products. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality of systems that are running affected versions of OpenSSL. According to http://heartbleed.com, the compromised data may contain passwords, private keys, and other sensitive information. In some instances, this information could be used by a malicious attacker to log into systems using a stolen identity or decrypt private information that was sent months or years ago.
Due to the severity, public disclosure and the reported exploitation of CVE-2014-0160 "in the wild," Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.
Please refer to OpenSSL Security Bug - Heartbleed / CVE-2014-0160 for a list of Oracle products and versions that are affected by this vulnerability.
Note: The page, OpenSSL Security Bug - Heartbleed / CVE-2014-0160 will be updated when new information becomes available.
Patch availability information related to vulnerability CVE-2014-0160 can be found on the OpenSSL Security Bug - Heartbleed / CVE-2014-0160 page. Note that in some instances, the instructions on this page or references from this page may include important steps to take before and after the application of the relevant patch.
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.
Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.
Date | Comments |
---|---|
2014-April-18 | Rev 1. Initial Release |
This Security Alert addresses the Heartbleed vulnerability in the OpenSSL third party component as it relates to Oracle products. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
CVE# | Component | Protocol | Subcomponent | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2014-0160 | OpenSSL Library | SSL/TLS | Heartbeat Extension | Yes | 5.0 | Network | Low | None | Partial | None | None | 1.0.1 - 1.0.1f | See Note 1 |