The purpose of this document is to list Oracle products that depend on OpenSSL and to document their current status with respect to the OpenSSL versions that were reported as vulnerable to the publicly disclosed ‘heartbleed’ vulnerability CVE-2014-0160.
Specifically, this document will list: (1) Oracle products that never used OpenSSL versions reported to be vulnerable to CVE-2014-0160; (2) Oracle products still under investigation, which may be vulnerable to CVE-2014-0160, (3) Oracle products that are likely vulnerable to CVE-2014-0160 but have fixes available from Oracle, (4) Oracle products that are likely vulnerable to CVE-2014-0160 but for which no fixes are currently available, (5) Products that do not include OpenSSL in their default distribution, (6) Status for Oracle Cloud, (7) Status for My Oracle Support and Oracle Advanced Customer Support Services, and finally (8) Status for Oracle.com and other corporate resources.
Oracle has assessed the impact of vulnerability CVE-2014-0160 only against product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle has not assessed the impact of this vulnerability against products that are no longer supported by Oracle. When product versions for a given product are not specifically listed in this document, it implies all those versions for that product which are currently supported by Oracle.
In April 2014, a vulnerability affecting certain versions of the OpenSSL cryptographic software library was publicly disclosed. For the purpose of this Note, this vulnerability will be referred by its CVE number: CVE-2014-0160. For more information about this vulnerability, see http://heartbleed.com/ (note that this site is not affiliated with Oracle).
The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products.
Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160. In other words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported as vulnerable to CVE-2014-0160:
Below is the list of affected products and mitigation instructions as of July 03, 2014 at 3:24 PM Pacific.
Global Product Security has determined that the following products are using OpenSSL cryptographic libraries whose versions have been externally reported as not vulnerable to CVE-2014-0160 or did not use OpenSSL libraries to implement the vulnerable TLS protocol. No further action is therefore expected for these products:
No products are currently under investigation.
Global Product Security has determined that the following products have used OpenSSL cryptographic libraries which have been reported as vulnerable to CVE-2014-0160. Oracle has issued fixes for these products. Further mitigation instructions required to prevent the exploitation of this vulnerability may also be provided at a later time.
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
|MySQL Connector/C 6.1.0-6.1.3 [Product ID 8576/CONC]||MOS Note 1663909.1|
|MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6, 5.3.2 [Product ID 8576/CONODBC]||MOS Note 1663909.1|
|MySQL Enterprise Backup 3.10.0 [Product ID 4629]||MOS Note 1663909.1|
|MySQL Enterprise Monitor 2.3.13-2.3.15, 3.0.0-3.0.8 [Product ID 8480]||MOS Note 1663909.1|
|MySQL Enterprise Server 5.6.11-5.6.17 [Product ID 8476]||MOS Note 1663909.1|
|MySQL Workbench 6.1.4 and earlier [Product ID 4627]||MOS Note 1663909.1|
|Oracle Big Data Appliance (includes Oracle Linux 6) [Product ID 9734]||MOS Note 1662966.1|
|Oracle Communications Internet Name and Address Management [Product ID 2262]||MOS Note 1665972.1|
|Oracle Communications Application Session Controller 3.7.0.m1p0, 3.7.0.m2p0 [Product ID 10769]||MOS Note 1664964.1|
|Oracle Communications Interactive Session Recorder 4.0.0 and later [Product ID 10765]||MOS Note 1664216.1|
|Oracle Communications Network Charging and Control 5.0.1 [Product ID 4623]||MOS Note 1664010.1|
|Oracle Communications Session Monitor Suite 3.3.40, 3.3.50 [Product ID 10761]||MOS Note 1664883.1|
|Oracle Communications WebRTC Session Controller 7.0.1 [Product ID 10811]||MOS Note 1664964.1|
|Oracle Endeca Information Discovery Studio (using Tomcat on Windows) [Product ID 9634]||Only customers who use Tomcat and have enabled the APR/Native interface may be vulnerable. |
MOS Note 1666812.1
|Oracle Explorer [Product ID 1330/EXPLORER]||MOS Note 1664793.1|
|Oracle Linux 6 [Product ID 1309]||MOS Note 1663998.1|
|Oracle Mobile Security Suite [Product ID 10913]||MOS Note 1664164.1|
|Oracle Virtual Compute Appliance Software [Product ID 10635]||MOS Note 1664138.1|
|Primavera P6 Professional Project Management (includes Primavera P6 Enterprise Project Portfolio Management) [Product ID 5579, 5580]||MOS Note 1664871.1 (P6 PPM) and MOS Note 1662799.1 (P6 EPPM) and MOS Note 1665370.1|
|Tape OEM Drive for HP LT-O6 [Product ID 10104]||MOS Note 1682209.1|
No products remain in this category.
These Oracle products do not include OpenSSL in their initial distribution (i.e., “out of the box”) and should therefore not be affected by the recent disclosure of CVE-2014-0160. Note that the surrounding technical environment deployed around these products should be checked for the presence of other components, which may be affected by this vulnerability.
Oracle's Cloud security and development teams are aware of CVE-2014-0160.
Oracle is investigating the implications of this issue across the Oracle stack.
The Oracle Cloud uses a “defense in depth” approach to security, which provides risk mitigation due to layered controls. Oracle has assessed the infrastructure, systems and applications used to provide Oracle Cloud services (“Cloud infrastructure”) and determined that, except as specified below, the Cloud infrastructure is not at risk from this vulnerability due to Oracle’s network architecture and use of SSL accelerators that have not been reported as vulnerable to CVE-2014-0160.
Oracle's analysis across the Oracle Cloud infrastructure is ongoing, using a number of automated and manual tests. Oracle will update this page as more information becomes available.
Please note: For software and services not managed by Oracle Cloud, please ensure that you contact your software or service provider for more information to secure them from vulnerabilities related to CVE-2014-0160.
Oracle Cloud Services that have successfully passed our assessment include:
In the ongoing processes of assessing the Oracle Cloud Infrastructure for vulnerability to CVE-2014-0160, Oracle has determined that one of our infrastructure partners may have been relying on OpenSSL Cryptographic Libraries which were reported as vulnerable. Oracle has since engaged with this partner to understand the possible implications of its use of the affected libraries, and determine what steps this partner had taken to address the issue. In response, Oracle has reached out to the affected customers with additional instructions. We have therefore updated the status of these Oracle Cloud for Industry services as "under investigation/customers notified".
My Oracle Support and Advanced Customer Support Services use a "defense in depth" approach to security, which provide risk mitigation due to layered controls. Our assessment has confirmed that the technologies used in My Oracle Support and in our Advanced Customer Support connected services are not at risk from vulnerability CVE-2014-0160. This is due to Oracle’s network architecture, the use of hardware and software specific SSL termination technology that have been reported as not vulnerable to CVE-2014-0160. Our assessment also uncovered that vulnerability CVE-2014-0160 existed in our Content Distribution Gateway between My Oracle Support and external sites. Oracle has contacted our Gateway partner who addressed this vulnerability on 19th April 2014.
Note that Oracle Platinum Services and Advanced Customer Support connected services such as Advanced Monitoring & Resolution are enabled by the Oracle Advanced Support Gateway. The gateway uses OpenSSL; however, the current gateway release (3.6) and all prior releases do not use OpenSSL Cryptographic Libraries reported to be vulnerable to CVE-2014-0160.
Oracle uses a "defense in depth" approach to security, which provides risk mitigation due to layered controls. Initial assessments have found that Oracle’s corporate web sites, as well as the Oracle Technology Network (OTN), are not at risk from vulnerability CVE-2014-0160. This is due to Oracle’s network architecture and the use of hardware SSL termination technology that have been reported as not vulnerable to CVE-2014-0160.
As a result, customers who have registered for an Oracle Web Account do not need to change their passwords out of concern that they may have been compromised by CVE-2014-0160. The Oracle Web Account is used to access a variety of Oracle Services and Applications including My Oracle Support, OTN Forums, Oracle Store, Oracle University, and Oracle PartnerNetworks as well as to register for Oracle events.
Global Product Security will continue to follow up with the various product development teams within Oracle to monitor the creation of the appropriate fixes, determine whether additional products may be affected, and whether updated mitigation instructions are required. This note will be updated as fixes and further mitigation instructions become available.
Furthermore, Global Product Security will ensure that future releases of Oracle products do not use the affected OpenSSL libraries. Finally future Patchsets and Critical Patch Updates for affected Oracle products may include the necessary patches to remove this vulnerability.
Please note that the relevant contract between you and Oracle determines legal terms and conditions applicable to the Oracle products and/or services you have acquired. This information is provided on an “AS-IS” basis without warranty and is subject to change.