OpenSSL Security Bug-Heartbleed (Doc ID 1645479.

1)
Modified: 11-Apr-2014 Type: REFERENCE
In this Document
Purpose
Details
PURPOSE
The purpose of this document is to list Oracle products that depend on OpenSSL and to document their current status with respect to the
OpenSSL versions that were reported as vulnerable to the publicly disclosed heartbleed vulnerability CVE-2014-0160.
In other words, this document will list: (1) Oracle products that never used OpenSSL versions reported to be vulnerable to CVE-2014-0160;
(2) Oracle products still under investigation, which may be vulnerable to CVE-2014-0160, (3) Oracle products that are likely vulnerable to
CVE-2014-0160 but have fixes available, (4) Oracle products that are likely vulnerable to CVE-2014-0160 but for which no fixes are currently
available, and finally (5) Status for Oracle Cloud and IT Systems.
DETAILS
Background
In April 2014, a vulnerability affecting certain versions of the OpenSSL cryptographic software library was publicly disclosed. For the
purpose of this Note, this vulnerability will be referred by its CVE number: CVE-2014-0160. For more information about this vulnerability,
see http://heartbleed.com/ (note that this site is not affiliated with Oracle).
The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in
Oracle products and will provide mitigation instructions when available for these affected Oracle products.
Note that only a number of OpenSSL cryptographic libraries versions were reported as affected by vulnerability CVE-2014-0160. In other
words, certain Oracle products, while they may be reported as using OpenSSL, may not be using versions of OpenSSL that were reported
by the reporter of the vulnerability as vulnerable to CVE-2014-0160:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable to CVE-2014-0160
OpenSSL 1.0.1g is NOT vulnerable to CVE-2014-0160
OpenSSL 1.0.0 branch is NOT vulnerable to CVE-2014-0160
OpenSSL 0.9.8 branch is NOT vulnerable to CVE-2014-0160
OpenSSL 0.9.7 branch is NOT vulnerable to CVE-2014-0160
Source: http://heartbleed.com
List of affected products and mitigation instructions as of April 11, 2014 at 8:50 AM Pacific.
(1)Oracle products that, while using OpenSSL, were never vulnerable to CVE-2014-0160
Global Product Security has determined that the following products are using OpenSSL cryptographic libraries whose versions have been
externally reported as not vulnerable to CVE-2014-0160. No further action is therefore expected for these products.
Advanced Lights Out Manager (ALOM) [product 6904]
ALOM-CMT (Server Processor software for SPARC T1 servers)
Audit Vault
BI EE
DB Firewall
EBS
EM Grid Control Plug-ins and Connectors
EM Ops Center
Endeca Server
Exadata (prod 2546)
Exalogic
Hyperion Essbase
ILOM versions 3.2.2 and before
Document Display https://support.oracle.com/epmos/faces/SearchDocDispl...
1 of 4 04/11/2014 11:47 PM
JDE EnterpriseOne Tools
Key Manager
NM2 IB switches
NM2-36P InfiniBand switches prod ID 10140
Oracle Communication Performance Intelligence Center 9.0.x [prod 11044]
Oracle Communications Billing and Revenue Management [prod 2136]
Oracle Communications EAGLE Application Processor Query Server (aka MNP Provisioning System, aka EPAP) [product 11117],
15.0, 15.0.2.
Oracle Communications EAGLE LNP Application Processor [prod 11118].
Oracle Communications Service Broker Engineered System Edition [prod 9056]. Does not use OpenSSL, but includes Oracle Linux
5.5 which is not vulnerable
Oracle Communications Subscriber Data Management [prod 10901]
Oracle Communications Subscriber Profile Repository
Oracle Eagle LNP Provision System
Oracle GlassFish Server 3.x.x
Oracle HTTP Server
Oracle Linux 5
Oracle Secure Backup 10.2, 10.3
Oracle Transportation Management
Oracle Tuxedo
Oracle Virtual Desktop Client [prod 9210]
Oracle Virtual Desktop Infrastructure [prod 8540]
Oracle ZFS Storage Appliance
PSFT People Tools (prod 5085 Robert Armstrong)
RUEI Real User Experience Insight
SAM-QFS
Scapp [prod ??] (Server Processor software for E6900/E4900/V1290 servers)
Secure Global Desktop
Solaris 11.1 and earlier
Sparc-OPL service processor(XCP) [prod 9845] (Server Processor software for M3000/M4000/M5000/M8000/M9000 servers)
Sun Ray
Sun Ray Operating Software [prod 8242?]
Sun System Firmware
Sun ZFS Storage Appliance Kit (AK) Software
Tape Library SL500, SL3000, SL8500
Tekelec HLR Router [prod 11047], versions 3.0, 3.1.
Tekelec Platform Management and Configuration 5.5.0_55.18.1, 5.0.0_50.18.1 (GA release)
Tekelec Policy Management 11.0.0 and 11.0.1
VM VirtualBox
Webgate 10g and 11g
Webtier "the old" 1.0.2.2 webtier (prod ID 1042/MODSSL) used by EBiz (new versions of Webtier don't use OpenSSL at all)
(2)Oracle products still under investigation, which may be vulnerable to CVE-2014-0160
Global Product Security is still investigating whether the following products are using versions of OpenSSL that were reported as vulnerable
to CVE-2014-0160. These products are:
ASC
CRMOD
Hyperion EPM
Java ME - Embedded
Java ME - JSRs and Options
Javacard
MySQL Connectors (MySQL Enterprise 5.6 libmysql-based only)
MySQL Cluster
MySQl Cluster Manager
MySQL Enterprise Monitor
MySQL Enterprise Server
Nimbula Director - product id 10773
OCWSC 7.0.1 -- 7.0 plus RP (Rolling Patch) 1. (OCWSC 7.0 GA without RP1 is not affected)
OnTrack Release
Oracle Communications Order and Service Management Product id 2270.
Document Display https://support.oracle.com/epmos/faces/SearchDocDispl...
2 of 4 04/11/2014 11:47 PM
Oracle VM - they are checking to see if they use OpenSSL
RightNow CX Server
Virtual Tape Software
(3)Oracle products that are likely vulnerable to CVE-2014-0160 and have fixes currently available
Global Product Security has determined that the following products have used OpenSSL cryptographic libraries which have been reported as
vulnerable to CVE-2014-0160 Oracle has issued fixes for these products. Further mitigation instructions required to prevent the exploitation
of this vulnerability may also be provided at a later time.
Patch Availability Matrix
Affected Products Patch Availability
Oracle Linux 6 https://linux.oracle.com/cve/CVE-2014-0160.html
https://linux.oracle.com/errata/ELSA-2014-0376.html
Solaris 11.2 (Selected customers only) Contact Support
Oracle Mobile Security Suite (product ID 10913) 1) Login to support.oracle.com.
2) Select Patches & Updates"
3) Search for the appropriate patch by Bug Number:
- For the patch on top of OMSS v2.5.x, search for
Bug Number 18545175
- For the patch on top of OMSS v3.0.x, search for
Bug Number 18545252
4) Download the appropriate patch(es)
5) Follow the instructions in the readme.txt contained
in the patch zip file
Additional Products forthcoming
(4)Oracle products that are likely vulnerable to CVE-2014-0160 but for which no fixes are yet available.
Global Product Security has determined that the following products have used OpenSSL cryptographic libraries, in at least one version of the
product, which have been reported as vulnerable to CVE-2014-0160
Blitz Mobile
BlueKai
Communications ASAP
DataRaker
EM Cloud Control
EM Grid control
Java ME - Bluray and TV
Oracle Communication Application Session Controller
Oracle Communication Session Monitor
Oracle Communications Diameter Signaling Router 6.0
Oracle Communications INAM
Oracle Communications Interactive Session Recorder
Oracle Communications ip service activator
Oracle Communications Network Charging and Control
Oracle Communications Policy Management 11, 12 (not 9)
Primavera P6 Prof Project Mgmt
Tekelec Policy Management 11.1.0 and 11.0.1
Tekelec TPD 6.5.2-82.31.0
(5)Products That Do Not Include OpenSSL
Document Display https://support.oracle.com/epmos/faces/SearchDocDispl...
3 of 4 04/11/2014 11:47 PM
These Oracle products do not include OpenSSL and are therefore not vulnerable to the OpenSSL vulnerability.
Autovue
Database
Java SE
JavaVM
Linux 5
Oracle Agile Engineering Data Management 1.0.1e (just uses encryption algorithms, not used for SSL/TLS Protocol)
Oracle Agile PLM
Oracle Banking Platform (OBP)
Oracle Communications Configuration management 7.2
Oracle ESSO
Oracle Identity Manager
Oracle iPlanet Web Proxy Server 4.0+
Oracle iPlanet Web Server 7.0+
Oracle Portal
Oracle VM (product 4455). Alexey Petrenko. Uses SSL. Not OpenSSL.
Oracle WebLogic Web Server Plug-In 1.0, 11g, 12c
PeopleSoft Products
Sun GlassFish Enterprise Server 2.1.x
Sun Java System Application Server 8.x
Sun Java System Web Proxy Server 3.6+, 4.0+
Sun Java System Web Server 7.0+
Sun ONE Web Server 6.1+
WebLogic Server
(6)Oracle Cloud and IT Systems
Communications in regards to these solutions will be handled in a separate document, or in accordance with existing security communication
practices in these business units.
Conclusion
Global Product Security will continue to follow up with the various product development teams within Oracle to monitor the creation of the
appropriate fixes, determine whether additional products may be affected, and whether updated mitigation instructions are required. This
note will be updated as fixes and further mitigation instructions become available.
Furthermore, Global Product Security will ensure that future releases of Oracle products not use the affected OpenSSL libraries. Finally
future Patchsets and Critical Patch Updates for affected Oracle products may include the necessary patches to remove this vulnerability.
Please note that the relevant contract between you and Oracle determine legal terms and conditions applicable to the Oracle products you
have acquired. This information is provided on an AS-IS basis without warranty, is subject to change, and is confidential information under
the terms of your agreement with Oracle. It cannot be shared outside of your organization.
Document Display https://support.oracle.com/epmos/faces/SearchDocDispl...
4 of 4 04/11/2014 11:47 PM