OpenSSL Security Bug - Heartbleed / CVE-2014-0160
PURPOSE
The purpose of this document is to list Oracle products that depend on OpenSSL and to document their current status with respect to the OpenSSL versions that were reported as vulnerable to the publicly disclosed ‘heartbleed’ vulnerability CVE-2014-0160.
Specifically, this document will list: (1) Oracle products that never used OpenSSL versions reported to be vulnerable to CVE-2014-0160; (2) Oracle products still under investigation, which may be vulnerable to CVE-2014-0160, (3) Oracle products that are likely vulnerable to CVE-2014-0160 but have fixes available from Oracle, (4) Oracle products that are likely vulnerable to CVE-2014-0160 but for which no fixes are currently available, (5) Products that do not include OpenSSL in their default distribution, (6) Status for Oracle Cloud, (7) Status for My Oracle Support and Oracle Advanced Customer Support Services, and finally (8) Status for Oracle.com and other corporate resources.
Oracle has assessed the impact of vulnerability CVE-2014-0160 only against product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle has not assessed the impact of this vulnerability against products that are no longer supported by Oracle. When product versions for a given product are not specifically listed in this document, it implies all those versions for that product which are currently supported by Oracle.
DETAILS
Background
In April 2014, a vulnerability affecting certain versions of the OpenSSL cryptographic software library was publicly disclosed. For the purpose of this Note, this vulnerability will be referred by its CVE number: CVE-2014-0160. For more information about this vulnerability, see http://heartbleed.com/ (note that this site is not affiliated with Oracle).
The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products.
Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160. In other words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported as vulnerable to CVE-2014-0160:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable to CVE-2014-0160
- OpenSSL 1.0.1g is NOT vulnerable to CVE-2014-0160
- OpenSSL 1.0.0 branch is NOT vulnerable to CVE-2014-0160
- OpenSSL 0.9.8 branch is NOT vulnerable to CVE-2014-0160
- OpenSSL 0.9.7 branch is NOT vulnerable to CVE-2014-0160
Source: http://heartbleed.com
Below is the list of affected products and mitigation instructions as of July 03, 2014 at 3:24 PM Pacific.
1.0 Oracle products that, while using OpenSSL, were not subject to CVE-2014-0160
Global Product Security has determined that the following products are using OpenSSL cryptographic libraries whose versions have been externally reported as not vulnerable to CVE-2014-0160 or did not use OpenSSL libraries to implement the vulnerable TLS protocol. No further action is therefore expected for these products:
- Acme Packet Net-Net Diameter Director [Product ID 10745]
- Advanced Lights Out Manager [Product ID 9843/ALOM/ALOM]
- ALOM-CMT [Product ID 9846/SYSFW-ALL/ALOM-CMT]
- Audit Vault [Product ID 1977,9749]
- Brocade (McData) Fiber Channel Switches and Management Software [Product ID 9864]
- Cisco MDS Fiber Channel Switches and Management Software [Product ID 9865]
- Corente Services Gateway
- E-Business Suite 11i (includes Oracle Applications Technology Stack) [Product ID 1214]
- eGate Integrator 5.0.5 SRE
- Enterprise Manager Cloud Control [Product ID 9579]
- Enterprise Manager Cloud Control Plug-ins and Connectors [Product ID 9579]
- Enterprise Manager Grid Control [Product ID 1370]
- Enterprise Manager Grid Control Plug-ins and Connectors [Product ID 1370]
- Enterprise Manager Ops Center [Product ID 9835]
- Exadata [Product ID 2546]
- Exalogic [Product ID 9415]
- Hyperion BI [Product ID 4361]
- Hyperion Essbase [Product ID 4379]
- iAS 1.0.2.2 (Part of E-Business Suite 11i) [Product ID 1745/IAS]
- Integrated Lights Out Manager (ILOM) [Product ID 9849]
- JD Edwards EnterpriseOne [Product ID 4781]
- JD Edwards World [Product ID 4839]
- MySQL Connector/C 6.0 [Product ID 8576/CONC]
- MySQL Connector/ODBC 5.1.4-5.1.12, 5.2.2-5.2.4 [Product ID 8576/CONODBC]
- MySQL Enterprise Backup 3.8, 3.9 [Product ID 4629]
- MySQL Enterprise Monitor 2.3.12 and earlier [Product ID 8480]
- MySQL Enterprise Server 5.1, 5.5, 5.6-5.6.10 [Product ID 8476]
- Nimbula Director [Product ID 10773]
- NM2-36P (NM2 36p Infiniband Switch) [Product ID 9886]
- NM2-GW (NM2 Gateway Infiniband Switch) [Product ID 9885]
- Oracle Access Manager 10g and 11g Webgates [Product ID 5565]
- Oracle Access Manager 10g Server [Product ID 5565]
- Oracle Agile Engineering Data Management [Product ID 4436]
- Oracle API Gateway 11.1.1 and 11.1.2 [Product ID 9195]
- Oracle ATG Web Commerce Search [Product ID 9350]
- Oracle Business Intelligence Enterprise Edition [Product ID 2025]
- Oracle Commerce Advanced JDBC Column Handler [Product ID 9633]
- Oracle Commerce Content Acquisition System [Product ID 9633]
- Oracle Commerce Developer Studio [Product ID 9633]
- Oracle Commerce Document Conversion [Product ID 9633]
- Oracle Commerce Experience Manager Tools and Frameworks [Product ID 9633]
- Oracle Commerce Guided Search / Oracle Commerce Experience Manager [Product ID 9633/MDEX]
- Oracle Commerce Guided Search Platform Services [Product ID 9633]
- Oracle Commerce MDEX Engine [Product ID 9633]
- Oracle Commerce Tools and Frameworks [Product ID 9633]
- Oracle Communications Application Session Controller, all 3.6.0 versions, 3.7.0.m0, 3.7.0.m0p1, 3.7.0.m0p2 [Product ID 10769]
- Oracle Communications ASAP [Product ID 2260]
- Oracle Communications Billing and Revenue Management 7.4.x, 7.5.x [Product ID 2136]
- Oracle Communications Border Gateway [Product ID 10751]
- Oracle Communications Core Session Manager [Product ID 10754]
- Oracle Communications Diameter Intelligence Hub 1.1, 1.2 [Product ID 11126]
- Oracle Communications Diameter Signal Router Full Address Resolution 4.x, 5.0 [Product ID 11127]
- Oracle Communications Diameter Signaling Router 4.x, 5.0 [Product ID 10899]
- Oracle Communications Eagle Application Processor Query Server 15.0, 15.0.2 [Product ID 11117]
- Oracle Communications Eagle LNP Provision System 10.0.0 [Product ID 11118]
- Oracle Communications Eagle MNP Provisioning System 15.x
- Oracle Communications IP Service Activator [Product ID 2261]
- Oracle Communications Network Charging and Control 4.4.x, 5.0.0.x [Product ID 4623]
- Oracle Communications Objectel [Product ID 2264]
- Oracle Communications Performance Intelligence Center 9.0.x [Product ID 11044]
- Oracle Communications Policy Management [Product ID 10900]
- Oracle Communications Security Gateway [Product ID 10755]
- Oracle Communications Service Broker Engineered System Edition [Product ID 9056]
- Oracle Communications Session Border Controller [Product ID 10750]
- Oracle Communications Session Delivery Management Suite
- Oracle Communications Session Router [Product ID 10752]
- Oracle Communications Session Tunneled Session Controller
- Oracle Communications Session Tunneled Session Controller SDK
- Oracle Communications Subscriber Data Management 9.1, 9.2 , 9.3 [Product ID 10901]
- Oracle Communications Subscriber Profile Repository 9.x
- Oracle Communications Subscriber-Aware Load Balancer [Product ID 10766]
- Oracle Communications Unified Session Manager [Product ID 10753]
- Oracle Database Appliance Software [Product ID 9435]
- Oracle Database Firewall [Product ID 8958,9749]
- Oracle DayBreak [Product ID 9496]
- Oracle Endeca Information Discovery Studio (If using Tomcat on Windows, see below) [Product ID 9634]
- Oracle Enterprise Communications Broker [Product ID 10758]
- Oracle Enterprise Session Border Controller [Product ID 10757]
- Oracle Fabric Interconnect F1-15 [Product ID 10478]
- Oracle FLEXCUBE Lending and Leasing 12.0, 12.1, 12.5 [Product ID 10484]
- Oracle GlassFish Server 3.x.x [Product ID 8493]
- Oracle Healthcare Transaction Base 5.x [Product ID 1122]
- Oracle Java Composite Application Platform Suite (JCAPS) 6.1, 6.2, 6.3 (including Enterprise Service Bus) [Product ID 8528, 8529]
- Oracle Key Manager [Product ID 10052]
- Oracle Life Sciences Data Hub 2.1.4 [Product ID 1710]
- Oracle Linux 5 [Product ID 1309]
- Oracle Real-time Scheduler [Product ID 2238]
- Oracle Secure Backup 10.3, 10.4 [Product ID 1522]
- Oracle Secure Global Desktop 4.x, 5.x [Product ID 8539]
- Oracle Social Network [Product ID 9432]
- Oracle Switch ES1-24 [Product ID 9889/OPUS24]
- Oracle System Assistant [Product ID 10015]
- Oracle Transportation Management 6.0, 6.1, 6.2 [Product ID 1991]
- Oracle Tuxedo [Product ID 5433]
- Oracle Virtual Desktop Infrastructure 3.3 to 3.5 [Product ID 8540]
- Oracle VM [Product ID 4455]
- Oracle VM VirtualBox 4.2, 4.3 [Product ID 8370]
- Oracle WebLogic Web Server Plug-In 1.0 [Product ID 5242/PLUGIN]
- Oracle ZFS Storage Software (includes, for example, Sun Storage 7310 Unified Storage System) [Product ID 10026]
- PeopleSoft Enterprise PT PeopleTools [Product ID 5085]
- Qlogic Fiber Channel Switches and Managment Software [Product ID 9866]
- Real User Experience Insight [Product ID 9572/COLL]
- SAM-QFS [Product ID 10021]
- Scapp [Product ID 9851]
- SMS [Product ID 9852]
- Solaris 11.1 and before [Product ID 10006]
- Solaris 11.2 (Beta) [Product ID 10006]
- SPARC - OPL Service Processor (XCP) [Product ID 9845]
- Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889/OPUS-TOR]
- Sun Crypto Accelerator 6000 [Product ID 9894]
- Sun Network 10GE Switch 72p [Product ID 9889/OPUSC10NEM]
- Sun Ray Operating Software 11.x [Product ID 9211]
- Sun Ray Software 5.x [Product ID 8242]
- Sun System Firmware [Product ID 9846]
- SuperCluster [Product ID 10011]
- Tape Drive T10000D [Product ID 10080]
- Tape Library ACSLS Slim [Product ID 10087]
- Tape Library ACSLS CSC Toolkit [Product ID 10089]
- Tape Library ACSLS HA [Product ID 10090]
- Tape Library ACSLS LibAttach - Windows Client [Product ID 10091]
- Tape Library ACSLS LibAttach Integrators Pack [Product ID 10092]
- Tape Library ACSLS RMLS - AS/400 Client [Product ID 10093]
- Tape Library ACSLS SNMP Agent [Product ID 10094]
- Tape Library HP SL500 - HP EML Modular Tape Library [Product ID 10096]
- Tape Library SL150 [Product ID 10099]
- Tape Library SL500, SL3000, SL8500 [Product ID 10101, 10100, 10102]
- Tape OEM Drive for HP LTO5 [Product ID 10104]
- Tape Virtual ACSSIM - Library, VTSS and VLE Simulator [Product ID 10108]
- Tape Virtual Virtual Library Extension [Product ID 10116]
- Tape Virtual VSM - Virtual Tape SubSystem (includes, for example, Sun StorageTek VSM4 and VSM5 Systems) [Product ID 10117]
- Tekelec HLR Router 3.x, 4.0 [Product ID 11047]
- Tekelec Platform Management and Configuration 5.x [Product ID 11106]
- Telemetry Data System [Product ID 9449/TDS]
- XCP (SP software for SPARC M10-1/M10-4/M10-4S servers) [Product ID 9845]
- XCP (SP software for SPARC M3000/M4000/M5000/M8000/M9000 servers) [Product ID 9845]
2.0 Oracle products still under investigation, which may be vulnerable to CVE-2014-0160
No products are currently under investigation.
3.0 Oracle products that are likely vulnerable to CVE-2014-0160 and have fixes currently available
Global Product Security has determined that the following products have used OpenSSL cryptographic libraries which have been reported as vulnerable to CVE-2014-0160. Oracle has issued fixes for these products. Further mitigation instructions required to prevent the exploitation of this vulnerability may also be provided at a later time.
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
4.0 Oracle products that are likely vulnerable to CVE-2014-0160 but for which no fixes are yet available.
No products remain in this category.
5.0 Products That Do Not Include OpenSSL
These Oracle products do not include OpenSSL in their initial distribution (i.e., “out of the box”) and should therefore not be affected by the recent disclosure of CVE-2014-0160. Note that the surrounding technical environment deployed around these products should be checked for the presence of other components, which may be affected by this vulnerability.
- ATG Campaign Optimizer [Product ID 9358]
- ATG Outreach [Product ID 9357]
- Auto Service Request [Product ID 9042]
- E-Business Suite R12 [Product ID 1214]
- Fusion Middleware Control [Product ID 1369]
- Hyperion EPM [Product ID 9143]
- Hyperion Financial Management (included in Hyperion EPM) [Product ID 4356]
- Hyperion Planning (included in Hyperion EPM) [Product ID 10707]
- Instantis EnterpriseTrack [Product ID 10563]
- Java ME - Bluray and TV [Product ID 9319]
- Java ME - Embedded [Product ID 9326]
- Java ME - Javacard [Product ID 9328]
- Java ME - JSRs and Optional Packages [Product ID 9322]
- Java ME - Mobile and Wireless [Product ID 9327]
- Java SE [Product ID 856]
- JavaVM
- Linear Tape File System Library Edition [Product ID 10259]
- Management Pack for Oracle GoldenGate [Product ID 5759]
- MySQL Cluster [Product ID 8479]
- MySQL Cluster Manager [Product ID 8479/CLSTMGR]
- MySQL Community Server version 5.6 [Product ID 6850]
- MySQL Connector/C++ [Product ID 8576/CONCPLS]
- MySQL Connector/Java [Product ID 8576/CONJ]
- MySQL Connector/NET [Product ID 8576/CONNET]
- MySQL Connector/PHP (mysqlnd) [Product ID 8576/CONMYND]
- MySQL Connector/Python [Product ID 8576/CONPYTHN]
- MySQL Server (all licenses, versions 5.5 and earlier) [Product ID 8478]
- MySQL Utilities [Product ID 4627/WBUTILS]
- OC4J 10.1.3.5 [Product ID 1270]
- OFSS FLEXCUBE Electronic Bill Presentment and Payment [Product ID 9495]
- Oracle Access Manager 11g Server [Product ID 5565]
- Oracle Access Portal [Product ID 10878]
- Oracle Adaptive Access Manager 11g Server [Product ID 4419]
- Oracle Agile Product Lifecycle Management [Product ID 4461]
- Oracle Application Configuration Console [Product ID 1370/ACC]
- Oracle Application Express (formerly Oracle HTML DB) [Product ID 1348]
- Oracle Application REST Data Services (formerly Oracle APEX Listener) [Product ID 9456]
- Oracle Application Testing Suite [Product ID 4622]
- Oracle ATG Web Commerce Business Intelligence [Product ID 9354]
- Oracle ATG Web Knowledge Manager [Product ID 9352]
- Oracle ATG Web Knowledge Manager Self-Service [Product ID 9353]
- Oracle Automated Service Manager [Product ID 11012]
- Oracle Autovue [Product ID 4449]
- Oracle B2B (Business to Business) 10g (11g is part of SOA) [Product ID 1652]
- Oracle Banking Platform [Product ID 9178]
- Oracle BPEL Process Manager (part of SOA Suite) [Product ID 1669]
- Oracle Business Activity Monitoring (part of SOA Suite) [Product ID 1675]
- Oracle Business Intelligence Publisher [Product ID 1479]
- Oracle Business Intelligence Standard Edition (aka Discoverer) [Product ID 964]
- Oracle Business Process Management Suite 10g, 11g, 12c [Product ID 5325]
- Oracle Clinical [Product ID 801]
- Oracle Clinical Remote Data Capture [Product ID 1041]
- Oracle CODASYL DBMS [Product ID 624]
- Oracle Coherence [Product ID 2545]
- Oracle Commerce ACC [Product ID 9348]
- Oracle Commerce Assisted Selling Application [Product ID 9348]
- Oracle Commerce Platform [Product ID 9349]
- Oracle Commerce Reference Store [Product ID 9348]
- Oracle Commerce Service Center [Product ID 9351]
- Oracle Commerce Web Server Extensions [Product ID 9349]
- Oracle Communications Application Integration Architecture
- Oracle Communications Application Management Pack
- Oracle Communications Calendar Server (CalDAV) [Product ID 8494]
- Oracle Communications Calendar Server 6.3 [Product ID 6754]
- Oracle Communications Configuration Management [Product ID 2268]
- Oracle Communications Converged Application Server [Product ID 5382]
- Oracle Communications Converged Application Server - Service Controller [Product ID 10593]
- Oracle Communications Convergence [Product ID 8501]
- Oracle Communications Delegated Administrator [Product ID 8505]
- Oracle Communications Design Studio [Product ID 2283]
- Oracle Communications Eagle STP
- Oracle Communications Elastic Charging Engine [Product ID 9742]
- Oracle Communications Index and Search Service (UCS) [Product ID 8503]
- Oracle Communications Instant Messaging Server 9.0.1.5 [Product ID 8495]
- Oracle Communications Messaging Server [Product ID 8496]
- Oracle Communications MetaSolv Solution [Product ID 2267,2281,2282]
- Oracle Communications Network Discovery [Product ID 2266,2287]
- Oracle Communications Network Integrity [Product ID 4491]
- Oracle Communications Network Intelligence [Product ID 4490]
- Oracle Communications Offline Mediation Controller [Product ID 2269]
- Oracle Communications Online Mediation Controller [Product ID 10594]
- Oracle Communications Order and Service Management [Product ID 2270]
- Oracle Communications Outlook Connector [Product ID 8499]
- Oracle Communications Pipeline Configuration Center
- Oracle Communications Pricing Design Center [Product ID 9437]
- Oracle Communications Service Broker [Product ID 8565]
- Oracle Communications Service Controller [Product ID 8565]
- Oracle Communications Service Gatekeeper [Product ID 5381]
- Oracle Communications Subscriber and Service Management [Product ID 2265]
- Oracle Communications Unified Inventory Management [Product ID 4516]
- Oracle Complex Maintenance, Repair and Overhaul [Product ID 1184]
- Oracle Data Integrator [Product ID 2196]
- Oracle Database [Product ID 5]
- Oracle Depot Repair [Product ID 516]
- Oracle Directory Server Enterprise Edition [Product ID 8512]
- Oracle Documaker [Product ID 5477]
- Oracle Enterprise Data Quality [Product ID 9464]
- Oracle Enterprise Single Sign-On Suite [Product ID 2074]
- Oracle Entitlement Server [Product ID 5296]
- Oracle Event Processing [Product ID 5370]
- Oracle Financial Services Analytical Applications Suite of Products [Product ID 5322, 5680, 5748, 9610, 10347, etc]
- Oracle Financial Services Lending and Leasing [Product ID 10484]
- Oracle FLEXCUBE Connect [Product ID 9051]
- Oracle FLEXCUBE Core Banking [Product ID 9101]
- Oracle FLEXCUBE Direct Banking [Product ID 9111]
- Oracle FLEXCUBE Enterprise Limits and Collateral [Product ID 9100]
- Oracle FLEXCUBE Investor Servicing [Product ID 9099]
- Oracle FLEXCUBE Messaging Hub [Product ID 9102]
- Oracle FLEXCUBE Private Banking [Product ID 9110]
- Oracle FLEXCUBE Remit [Product ID 9097]
- Oracle FLEXCUBE Universal Banking [Product ID 9052]
- Oracle Forms [Product ID 45]
- Oracle Fusion Middleware MapViewer [Product ID 1215]
- Oracle Fusion Middleware Repository Creation Utility [Product ID 1032/RCU]
- Oracle GlassFish Communications Server 2.x [Product ID 8513]
- Oracle GoldenGate [Product ID 5757]
- Oracle GoldenGate Application Adapters [Product ID 5760]
- Oracle GoldenGate Veridata [Product ID 5758]
- Oracle Health Sciences InForm Adapter [Product ID 9637]
- Oracle Health Sciences InForm and Oracle Siebel Clinical Integration Pack for Subject and Status Information [Product ID 9601]
- Oracle Health Sciences InForm CRF Submit [Product ID 9641]
- Oracle Health Sciences InForm Publisher [Product ID 9638]
- Oracle Healthcare Transaction Base v 6.x [Product ID 1122]
- Oracle HTTP Server [Product ID 1042]
- Oracle Identity Analytics [Product ID 8522]
- Oracle Identity Federation 11g [Product ID 1741]
- Oracle Identity Manager [Product ID 1980]
- Oracle Internet Directory [Product ID 355]
- Oracle iPlanet Web Proxy Server 4.0 [Product ID 8542]
- Oracle iPlanet Web Server 7.0 [Product ID 8543]
- Oracle JRockit [Product ID 5260]
- Oracle Knowledge [Product ID 9571]
- Oracle Live Help On Demand [Product ID 9360]
- Oracle Mobile and Social [Product ID 9146]
- Oracle Notification Services [Product ID 1032]
- Oracle Pedigree and Serialization Manager [Product ID 4674]
- Oracle PL/SQL (part of Oracle Database) [Product ID 11]
- Oracle Policy Automation [Product ID 5624]
- Oracle Policy Automation Connector for SAP Java Connector [Product ID 5628]
- Oracle Policy Automation Connector for Siebel [Product ID 5627]
- Oracle Policy Automation for Mobile Devices [Product ID 5626]
- Oracle Policy Modeling [Product ID 5623]
- Oracle Portal [Product ID 96]
- Oracle Process Management and Notification [Product ID 1032]
- Oracle Public Sector Revenue Management [Product ID 4318]
- Oracle Public Sector Revenue Management Analytics [Product ID 8389]
- Oracle Public Sector Revenue Management Self Service [Product ID 9773]
- Oracle Rdb Server on OpenVMS [Product ID 623]
- Oracle Recommendations On Demand [Product ID 9366]
- Oracle Reports [Product ID 159]
- Oracle Secure File Transport [Product ID 9208]
- Oracle Security Token Service 11g [Product ID 5744]
- Oracle Service Bus (part of SOA Suite) [Product ID 5308]
- Oracle Siebel Clinical Trial Management System [Product ID 9173]
- Oracle SOA Suite 10g, 11g, 12g [Product ID 1162]
- Oracle StorageTek Linear Tape File System [Product ID 10564]
- Oracle Sun OpenSSO 8.x Server [Product ID 8520]
- Oracle Thesaurus Management System [Product ID 192]
- Oracle TopLink [Product ID 1339]
- Oracle Trace File Analyzer
- Oracle Traffic Director [Product ID 9276]
- Oracle Transportation Management 6.3 [Product ID 1991]
- Oracle Unified Directory [Product ID 9118]
- Oracle Utilities Billing Component [Product ID 4102]
- Oracle Utilities Business Intelligence [Product ID 2235]
- Oracle Utilities Customer Care and Billing [Product ID 2237]
- Oracle Utilities Customer Self Service [Product ID 9426]
- Oracle Utilities Load Analysis [Product ID 4107]
- Oracle Utilities Load Profiling and Settlement [Product ID 4108]
- Oracle Utilities Meter Data Management [Product ID 4101]
- Oracle Utilities Mobile Workforce Management [Product ID 2239]
- Oracle Utilities Network Management System [Product ID 2241]
- Oracle Utilities Operational Device Management [Product ID 9544]
- Oracle Utilities Portfolio Management [Product ID 4106]
- Oracle Utilities Quotations Management [Product ID 4103]
- Oracle Utilities Rate Management [Product ID 4105]
- Oracle Utilities Smart Grid Gateway [Product ID 9127]
- Oracle Utilities Transaction Management [Product ID 4109]
- Oracle Utilities Work and Asset Management [Product ID 2244]
- Oracle Virtual Desktop Client 3.x [Product ID 8541]
- Oracle Virtual Directory [Product ID 1978]
- Oracle Wallet Manager [Product ID 338, 991/WMT]
- Oracle Warehouse Builder [Product ID 9]
- Oracle Watchlist Screening [Product ID 9465]
- Oracle Waveset [Product ID 8518]
- Oracle Web Cache [Product ID 1059]
- Oracle Web Services [Product ID 1271]
- Oracle Web Services Manager 10g, 11g, 12c [Product ID 1775]
- Oracle WebCenter Content [Product ID 2271]
- Oracle WebCenter Portal [Product ID 1696]
- Oracle Weblogic Integration [Product ID 5323]
- Oracle WebLogic Server 10.0.x and higher [Product ID 5242]
- Oracle WebLogic Web Server Plug-In 1.1+, 11g, 12c [Product ID 5242/PLUGIN_NZ]
- PeopleSoft products other than PeopleSoft Enterprise PT PeopleTools
- Primavera Contract Management [Product ID 5581]
- Primavera Gateway [Product ID 10605]
- Primavera Inspire for SAP [Product ID 5590]
- Primavera P6 Analytics [Product ID 8577]
- Primavera P6 Integration API [Product ID 10726]
- Primavera P6 Reporting Database [Product ID 5585]
- Primavera Portfolio Management [Product ID 5584]
- Primavera Risk Analysis [Product ID 5583]
- Primavera Unifier [Product ID 10354]
- Retail Integration Bus [Product ID 1807]
- Siebel CRM [Product ID 9011, 2295]
- Solaris Cluster [Product ID 10005]
- StorageTek Enterprise Library Software [Product ID 10098]
- StorageTek Host Software Component [Product ID 10098]
- StorageTek Library Content Manager [Product ID 10082]
- StorageTek Library Station [Product ID 10098]
- StorageTek MVS Client System Component [Product ID 10098]
- StorageTek Storage Management Component [Product ID 10098]
- StorageTek SVA Administrator [Product ID 10114]
- StorageTek Unisys Client System Component [Product ID 10098]
- StorageTek VM Client [Product ID 9293]
- StorageTek VSM Vault Utility [Product ID 10119]
- Sun GlassFish Enterprise Server 2.x [Product ID 8493]
- Sun Java System Application Server 7.x, 8.x [Product ID 6802]
- Sun Java System Message Queue [Product ID 7640]
- Sun Java System Web Proxy Server 3.6+, 4.0+
- Sun Java System Web Server 7.0 [Product ID 7276]
- Sun ONE Web Server 6.1 [Product ID 8543]
- Sun Storage Common Array Manager (CAM) [Product ID 10024]
- Sun StorageTek 6140 Array [Product ID 10067]
- Tape Drive 9840A, 9840C, 9840D, 9940A, 9940B [Product ID 10070, 10072-10075]
- Tape Drive T10000A, T10000B, T10000C [Product ID 10077-10079]
- Tape Drive Virtual Operator Panel [Product ID 10081]
- Tape General Expert Performance Reporter [Product ID 10082]
- Tape General ISV Support [Product ID 10083]
- Tape General Linear Tape File System Library Edition [Product ID 10084]
- Tape General StorageTek Tape Analytics SW Tool [Product ID 10085]
- Tape General z/OS Unit Information Module for STK Tape Drives [Product ID 10086]
- Tape Library Automated Cartridge System Library Software [Product ID 10088]
- Tape Library Nearline Control Solution [Product ID 10098]
- Tape Library StorageTek Library Console [Product ID 10103]
- Tape OEM Drive for IBM LTO5 and LTO6 [Product ID 10104]
- Tape Virtual Concurrent Disaster Recovery Test [Product ID 10109]
- Tape Virtual EXHPDM - High Speed Backup and Restore for Tape [Product ID 10110]
- Tape Virtual Expert Library Manager - 10111 [Product ID 10111]
- Tape Virtual HTTP SERVER - Tape Middleware [Product ID 10112]
- Tape Virtual Lifecycle Director [Product ID 10113]
- Tape Virtual Shared Virtual Array Subsystem [Product ID 10114]
- Tape Virtual Virtual Storage Manager GUI [Product ID 10118]
- Tape Virtual Virtual Tape Control Software [Product ID 10119]
- User Productivity Kit [Product ID 1962]
6.0 Oracle Cloud
Oracle's Cloud security and development teams are aware of CVE-2014-0160.
Oracle is investigating the implications of this issue across the Oracle stack.
The Oracle Cloud uses a “defense in depth” approach to security, which provides risk mitigation due to layered controls. Oracle has assessed the infrastructure, systems and applications used to provide Oracle Cloud services (“Cloud infrastructure”) and determined that, except as specified below, the Cloud infrastructure is not at risk from this vulnerability due to Oracle’s network architecture and use of SSL accelerators that have not been reported as vulnerable to CVE-2014-0160.
Oracle's analysis across the Oracle Cloud infrastructure is ongoing, using a number of automated and manual tests. Oracle will update this page as more information becomes available.
Please note: For software and services not managed by Oracle Cloud, please ensure that you contact your software or service provider for more information to secure them from vulnerabilities related to CVE-2014-0160.
Oracle Cloud Services that have successfully passed our assessment include:
- Oracle Public Cloud
- Big Machines
- BlueKai
- Eloqua
- Fusion Apps PaaS
- Fusion Apps SaaS
- Responsys
- RightNow
- Taleo Business Edition
- Taleo Enterprise
- Taleo Learn
- Taleo Job Partners
- Taleo Social Sourcing
- Oracle Managed Cloud Services - All @oracle Services
- Agile
- ATG Optimization
- ATG Commerce
- Beehive
- CRM On Demand
- Demantra
- E-Business Suite On Demand
- Endeca
- Fusion Apps
- Golden Gate
- GRC
- Hyperion On Demand
- iLearning
- Inquira
- JDE
- Markdown Optimization
- MDM
- OBIEE
- Oracle Content Manager
- Oracle Retail
- Oracle Transportation Manager
- OTO
- PeopleSoft On Demand
- Primavera
- Siebel On Demand
- SOA
- Oracle Cloud for Industry
- Argus Safety, Insight, Analytics
- Billing and Revenue Management
- Central Coding
- Central Designer
- ClearTrial
- Enterprise Track (Instantis)
- Empirica Suite
- Healthcare Analytic Suite
- InForm
- Insurance Data Exchange
- IRT
- LabPas
- Outcome Logix
- Oracle Financial Services Lending and Leasing
- Oracle Utilities Cloud Analytics (previously DataRaker)
- Siebel Clinical Trial Management Service
- Skire Unifier (hosted at Savvis/CenturyLink and CWH)
In the ongoing processes of assessing the Oracle Cloud Infrastructure for vulnerability to CVE-2014-0160, Oracle has determined that one of our infrastructure partners may have been relying on OpenSSL Cryptographic Libraries which were reported as vulnerable. Oracle has since engaged with this partner to understand the possible implications of its use of the affected libraries, and determine what steps this partner had taken to address the issue. In response, Oracle has reached out to the affected customers with additional instructions. We have therefore updated the status of these Oracle Cloud for Industry services as "under investigation/customers notified".
- Argus Safety, Insight, Analytics (Only in specific environments)
- Design Environment On Demand (DEOD)
- Primavera P6
- Skire Unifier (hosted at Sungard)
7.0 Status for My Oracle Support and Oracle Advanced Customer Support Services
My Oracle Support and Advanced Customer Support Services use a "defense in depth" approach to security, which provide risk mitigation due to layered controls. Our assessment has confirmed that the technologies used in My Oracle Support and in our Advanced Customer Support connected services are not at risk from vulnerability CVE-2014-0160. This is due to Oracle’s network architecture, the use of hardware and software specific SSL termination technology that have been reported as not vulnerable to CVE-2014-0160. Our assessment also uncovered that vulnerability CVE-2014-0160 existed in our Content Distribution Gateway between My Oracle Support and external sites. Oracle has contacted our Gateway partner who addressed this vulnerability on 19th April 2014.
Note that Oracle Platinum Services and Advanced Customer Support connected services such as Advanced Monitoring & Resolution are enabled by the Oracle Advanced Support Gateway. The gateway uses OpenSSL; however, the current gateway release (3.6) and all prior releases do not use OpenSSL Cryptographic Libraries reported to be vulnerable to CVE-2014-0160.
8.0 Oracle.com and other corporate web sites
Oracle uses a "defense in depth" approach to security, which provides risk mitigation due to layered controls. Initial assessments have found that Oracle’s corporate web sites, as well as the Oracle Technology Network (OTN), are not at risk from vulnerability CVE-2014-0160. This is due to Oracle’s network architecture and the use of hardware SSL termination technology that have been reported as not vulnerable to CVE-2014-0160.
As a result, customers who have registered for an Oracle Web Account do not need to change their passwords out of concern that they may have been compromised by CVE-2014-0160. The Oracle Web Account is used to access a variety of Oracle Services and Applications including My Oracle Support, OTN Forums, Oracle Store, Oracle University, and Oracle PartnerNetworks as well as to register for Oracle events.
Conclusion
Global Product Security will continue to follow up with the various product development teams within Oracle to monitor the creation of the appropriate fixes, determine whether additional products may be affected, and whether updated mitigation instructions are required. This note will be updated as fixes and further mitigation instructions become available.
Furthermore, Global Product Security will ensure that future releases of Oracle products do not use the affected OpenSSL libraries. Finally future Patchsets and Critical Patch Updates for affected Oracle products may include the necessary patches to remove this vulnerability.
Please note that the relevant contract between you and Oracle determines legal terms and conditions applicable to the Oracle products and/or services you have acquired. This information is provided on an “AS-IS” basis without warranty and is subject to change.
References