Thursday, April 17, 2014

OpenSSL- Security Bug from Oracle 's Perspective

In April 2014, a security bug came to light in Open SSL cryptographic software library.
This bug is named as Hearthbleed, and it makes it possible to steal sensitive information when using the secure connection to the applications through ssl.
Information about this bug can be gathered by the following web site: http://heartbleed.com

Anyways, as our focus is on Oracle , it is good to know the affected and unaffected product of Oracle in the first place.. So I m sharing the affected and unaffected Poduct lists supplied by Oracle..
Note that, I m happy to say that EBS 11i or R12, which are my main focuses, seem not affected from this security bug.. On the other hand Oracle Linux 6 seems affected, and that's why has to be patched .. Goldengate also is still in investigation process..

Reference: Oracle

Not affected Products:

  • Advanced Lights Out Manager (ALOM) [Product ID 9843/ALOM/ALOM]
  • ALOM-CMT [Product ID 9846/SYSFW-ALL/ALOM-CMT]
  • Audit Vault [Product ID 1977,9749]
  • Brocade(McData) Fiber Channel Switches and Management Software [Product ID 9864]
  • Cisco MDS Fiber Channel Switches and Management Software [Product ID 9865]
  • E-Business Suite 11i
  • Enterprise Manager Cloud Control
  • Enterprise Manager Grid Control [Product ID 1370]
  • Enterprise Manager Grid Control Plug-ins and Connectors
  • Enterprise Manager Ops Center
  • Exadata [Product ID 2546]
  • Exalogic
  • FLEXCUBE Lending and Leasing 12.0, 12.1, 12.5 [Product ID 10484]
  • Hyperion BI
  • Hyperion Essbase [Product ID 4379]
  • ILOM [Product ID 9849]
  • JDE EnterpriseOne Tools [Product ID 4781]
  • MySQL Enterprise Backup [Product ID 4629]
  • NM2 IB switches [Product ID 10140]
  • NM2-36P InfiniBand switches [Product ID 10140]
  • Oracle Access Manager 10g and 11g Webgates [Product ID 5565]
  • Oracle Access Manager 10g Server [Product ID 5565]
  • Oracle Agile Engineering Data Management [Product ID 4436]
  • Oracle API Gateway 11.1.1 and 11.1.2 [Product ID 9195]
  • Oracle Business Intelligence Enterprise Edition [Product ID 2025]
  • Oracle Commerce Guided Search / Oracle Commerce Experience Manager [Product ID 9633/MDEX]
  • Oracle Communications ASAP [Product ID 2260]
  • Oracle Communications Billing and Revenue Management [Product ID 2136]
  • Oracle Communications Border Gateway
  • Oracle Communications Core Session Manager
  • Oracle Communications EAGLE Application Processor Query Server 15.0, 15.0.2 [Product ID 11117]
  • Oracle Communications EAGLE LNP Application Processor 10.0 [Product ID 11118]
  • Oracle Communications Enterprise Communications Broker
  • Oracle Communications Enterprise Session Border Controller
  • Oracle Communications IP Service Activator [Product ID 2261]
  • Oracle Communications Order and Service Management [Product ID 2270]
  • Oracle Communications Performance Intelligence Center 9.0.x [Product ID 11044]
  • Oracle Communications Policy Management 9.3, 9.4, 9.7, 9.8, 10.4, 11.0 [Product ID None yet]
  • Oracle Communications Security Gateway
  • Oracle Communications Service Broker Engineered System Edition [Product ID 9056]
  • Oracle Communications Session Router
  • Oracle Communications Session Tunneled Session Controller
  • Oracle Communications Session Tunneled Session Controller SDK
  • Oracle Communications Subscriber Data Management 9.1, 9.2 , 9.3 [Product ID None yet]
  • Oracle Communications Subscriber Profile Repository 9.0
  • Oracle Communications Subscriber-Aware Load Balancer
  • Oracle Communications Unified Session Manager
  • Oracle Database Appliance Software [Product ID 9435]
  • Oracle Database Firewall [Product ID 8958,9749]
  • Oracle DayBreak [Product ID 9696]
  • Oracle Eagle LNP Provision System 10.0.0
  • Oracle Endeca Server [Product ID 10217]
  • Oracle GlassFish Server 3.x.x [Product ID 8493]
  • Oracle Key Manager [Product ID 10052]
  • Oracle Linux 5 [Product ID 1309]
  • Oracle Real-time Scheduler [Product ID 2238]
  • Oracle Secure Backup 10.3, 10.4 [Product ID 1522]
  • Oracle Secure Global Desktop 4.x, 5.x [Product ID 8539]
  • Oracle Switch ES1-24 [Product ID 9889/OPUS24]
  • Oracle System Assistant [Product ID 10015]
  • Oracle Transportation Management 6.0, 6.1, 6.2 [Product ID 1991]
  • Oracle Tuxedo [Product ID 5433]
  • Oracle Virtual Desktop Infrastructure 3.3 to 3.5 [Product ID 8540]
  • Oracle VM [Product ID 4455]
  • Oracle VM VirtualBox 4.2, 4.3 [Product ID 8370]
  • Oracle WebLogic Web Server Plug-In 1.0 [Product ID 5242/PLUGIN]
  • Oracle ZFS Storage Software [Product ID 10026]
  • PeopleSoft Application Products including Campus Solutions [Product ID 5085]
  • Qlogic Fiber Channel Switches and Managment Software [Product ID 9866]
  • Real User Experience Insight [Product ID 9572/COLL]
  • SAM-QFS [Product ID 10021]
  • Scapp [Product ID 9851]
  • Siebel CRM [Product ID 2295]
  • SMS [Product ID 9852]
  • Solaris 11.1 and before [Product ID 10006]
  • SPARC - OPL Service Processor (XCP) [Product ID 9845]
  • Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889/OPUS-TOR]
  • Sun Crypto Accelerator 6000 [Product ID 9894]
  • Sun Network 10GE Switch 72p [Product ID 9889/OPUSC10NEM]
  • Sun Ray Operating Software 11.x [Product ID 9211]
  • Sun Ray Software 5.x [Product ID 8242]
  • Sun System Firmware [Product ID 9846]
  • Tape Library SL500, SL3000, SL8500 [Product ID 10101, 10100, 10102]
  • Tekelec HLR Router 3.0.0 , 3.1.0 [Product ID None yet]
  • Tekelec Platform Management and Configuration 5.0.0, 5.5.0 [Product ID None yet]
  • Webgate 10g and 11g
  • Webtier "the old" 1.0.2.2 webtier (E-Business Suite uses) [Product ID 1042/MODSSL]
Not certain, Products which are still under investigation :

  • ATG Products
  • eGate Integrator 5.0.5 SRE
  • Enterprise Manager Base Platform [Product ID 1370]
  • Enterprise Manager Explorer
  • Entperprise Manager TDS
  • FLEXCUBE Connect [Product ID 9051]
  • Java CAPS 6.2 [Product ID 8528]
  • MySQL Connector/C++ [Product ID 8576/CONCPLS]
  • Nimbula Director [Product ID 10773]
  • OnTrack Release
  • Oracle GoldenGate
  • Oracle Service Bus [Product ID 5308]
  • Oracle SOA Suite [Product ID 1162]
  • Oracle Wallet Manager [Product ID 338,991/WMT]
  • SuperCluster [Product ID 10011]
Affected products which have fixes:

Patch Availability Matrix
Affected Products
Patch Availability
MySQL Enterprise Monitor [Product ID 8480]Contact Support
MySQL Enterprise Server version 5.6 [Product ID 8476]Customers can download version 5.6.18 to address CVE-2014-0160. The download instructions can be found at
https://support.oracle.com/epmos/faces/DocumentDisplay?id=1300654.1
Oracle Communications Session Monitor Suite 3.3.40, 3.3.50 [Product ID 10761]Patchset available. Contact Support. 3.3.40.2.1 (available as of April 11th, 2014). 3.3.50.0.0 planned.
Oracle Linux 6https://linux.oracle.com/cve/CVE-2014-0160.html
https://linux.oracle.com/errata/ELSA-2014-0376.html
Note that Oracle Linux 6 ships a patched version of OpenSSL 1.0.1e on the Unbreakable Linux Network and public-yum.oracle.com. Customers are strongly encouraged to upgrade OpenSSL on Oracle Linux 6 to the latest available release.
Oracle Mobile Security Suite [Product ID 10913]1. Login to support.oracle.com
2. Select "Patches & Updates"
3. Search for the appropriate patch by Bug Number
  - For the patch on top of OMSS v2.5.x, search for Bug Number 18545175
  - For the patch on top of OMSS v3.0.x, search for Bug Number 18545252
4. Download the appropriate patch(es)
5. Follow the instructions in the readme.txt contained in the patch zip file
Solaris 11.2 (Selected Customers Only) [Product ID 10026]Contact Support


Affected products which have no fixes:

  • BlueKai
  • Java ME - JSRs and Optional Packages
  • Java ME - Mobile and Wireless
  • MySQL Connector/C [Product ID 8576/CONC]
  • MySQL Connector/ODBC [Product ID 8576/CONODBC]
  • MySQL Workbench [Product ID 4627]
  • Oracle Communications Internet Name and Address Management [Product ID 2262]
  • Oracle Communications Application Session Controller 3.7.0m2p0 [Product ID 10769]
  • Oracle Communications Interactive Session Recorder 4.x, 5.0, 5.1 [Product ID 10765]
  • Oracle Communications Network Charging and Control [Product ID 4623]
  • Oracle Communications Policy Management 11.1 [Product ID None yet]
  • Oracle Communications Session Delivery Management Suite NNC 7.3 [Product ID None yet]
  • Oracle Communications WebRTC Session Controller/Director WSC 7.0.1 [Product ID 10811]
  • Primavera P6 Professional Project Management [Product ID 5580]

Products which dont include Open SSL:

  • Auto Service Request [Product ID 9042]
  • E-Business Suite R12
  • FLEXCUBE Messaging Hub [Product ID 9102]
  • FLEXCUBE Remit [Product ID 9097]
  • Hyperion EPM
  • Java ME - Bluray and TV [Product ID 9319]
  • Java ME - Embedded [Product ID 9326]
  • Java ME - Javacard [Product ID 9328]
  • Java SE [Product ID 856]
  • JavaVM
  • MySQL Cluster [Product ID 8479]
  • MySQL Cluster Manager [Product ID 8479/CLSTMGR]
  • MySQL Community Server version 5.6 [Product ID 6850]
  • MySQL Connector/Java [Product ID 8576/CONJ]
  • MySQL Connector/NET [Product ID 8576/CONNET]
  • MySQL Connector/PHP (mysqlnd) [Product ID 8576/CONMYND]
  • MySQL Connector/Python [Product ID 8576/CONPYTHN]
  • MySQL Server (all licenses, versions 5.5 and earlier) [Product ID 8478]
  • MySQL Utilities [Product ID 4627/WBUTILS]
  • OFSS FLEXCUBE Electronic Bill Presentment and Payment [Product ID 9495]
  • Oracle Access Manager 11g Server
  • Oracle Access Portal [Product ID 10878]
  • Oracle Adaptive Access Manager 11g Server [Product ID 4419]
  • Oracle Agile Product Lifecycle Management [Product ID 4461]
  • Oracle Application Express (formerly Oracle HTML DB) [Product ID 1348]
  • Oracle Application REST Data Services (formerly Oracle APEX Listener) [Product ID 9456]
  • Oracle Autovue
  • Oracle Banking Platform [Product ID 9178]
  • Oracle Business Intelligence Discoverer [Product ID 964]
  • Oracle CODASYL DBMS [Product ID 624]
  • Oracle Communications Configuration Management 7.2 [Product ID 2268]
  • Oracle Communications Eagle STP 44.0.x, 45.0.x
  • Oracle Communications Elastic Charging Engine [Product ID 9742]
  • Oracle Communications Offline Mediation Controller [Product ID 2269]
  • Oracle Communications Pricing Design Center [Product ID 9437]
  • Oracle Complex Maintenance, Repair and Overhaul [Product ID 1184]
  • Oracle Database [Product ID 5]
  • Oracle Depot Repair [Product ID 516]
  • Oracle Directory Server Enterprise Edition [Product ID 8512]
  • Oracle Documaker [Product ID 5477]
  • Oracle Enterprise Limits and Collateral
  • Oracle Enterprise Single Sign-On Suite [Product ID 2074]
  • Oracle Financial Service Lending and Leasing [Product ID 10484]
  • Oracle FLEXCUBE Core Banking [Product ID 9101]
  • Oracle FLEXCUBE Direct Banking [Product ID 9111]
  • Oracle FLEXCUBE Investment Services [Product ID 9099]
  • Oracle FLEXCUBE Private Banking [Product ID 9110]
  • Oracle FLEXCUBE Universal Banking [Product ID 9052]
  • Oracle GlassFish Communications Server 2.x [Product ID 8513]
  • Oracle Health Sciences InForm Adapter [Product ID 9637]
  • Oracle Health Sciences InForm and Oracle Siebel Clinical Integration Pack for Subject and Status Information [Product ID 9601]
  • Oracle Health Sciences InForm CRF Submit [Product ID 9641]
  • Oracle Health Sciences InForm Publisher [Product ID 9638]
  • Oracle HTTP Server [Product ID 1042]
  • Oracle Identity Analytics [Product ID 8522]
  • Oracle Identity Federation 11g [Product ID 1741]
  • Oracle Identity Manager [Product ID 1980]
  • Oracle Internet Directory [Product ID 355]
  • Oracle iPlanet Web Proxy Server 4.0 [Product ID 8542]
  • Oracle iPlanet Web Server 7.0 [Product ID 8543]
  • Oracle Knowledge [Product ID 9571]
  • Oracle Mobile and Social [Product ID 9146]
  • Oracle Pedigree and Serialization Manager [Product ID 4674]
  • Oracle Portal [Product ID 96]
  • Oracle Rdb Server on OpenVMS [Product ID 623]
  • Oracle Security Token Service 11g [Product ID 5744]
  • Oracle Sun OpenSSO 8.x Server [Product ID 8520]
  • Oracle Trace File Analyzer
  • Oracle Traffic Director [Product ID 9276]
  • Oracle Transportation Management 6.3 [Product ID 1991]
  • Oracle Unified Directory [Product ID 9118]
  • Oracle Virtual Desktop Client 3.x [Product ID 8541]
  • Oracle Waveset [Product ID 8518]
  • Oracle Web Cache [Product ID 1059]
  • Oracle WebLogic Server [Product ID 5242]
  • Oracle WebLogic Web Server Plug-In 1.1+, 11g, 12c [Product ID 5242/PLUGIN_NZ]
  • Retail Integration Bus [Product ID 1807]
  • StorageTek Automated Cartridge System Library Software [Product ID 10088]
  • Sun GlassFish Enterprise Server 2.x
  • Sun Java System Application Server 7.x, 8.x [Product ID 6802]
  • Sun Java System Web Proxy Server 3.6+, 4.0+
  • Sun Java System Web Server 7.0 [Product ID 7276]
  • Sun ONE Web Server 6.1 [Product ID 8543]
  • Sun Storage Common Array Manager (CAM) [Product ID 10024]
Oracle Cloud Services, which are not affected:

  • Oracle Public Cloud
    • RightNow
    • Big Machines
    • Eloqua
    • Responsys
  • Oracle Managed Cloud Services
    • All Services
  • Oracle Cloud for Industry
    • Argus Safety, Insight, Analytics
    • Central Coding
    • Central Designer
    • ClearTrial
    • CTMS
    • Empirica Suite
    • Healthcare Analytic Suite
    • InForm
    • IRT
    • LabPas
    • Outcome Logix
    • Insurance Data Exchange
    • Enterprise Track (Instantis)
    • Skire Unifier
    • Primavera P6
    • Oracle Utilities Cloud Analytics (previously DataRaker)
    • Billing and Revenue Management
    • Oracle Financial Services Lending and Leasing

No comments :

Post a Comment