Oracle Security Alert for CVE-2014-0160

Description

 

This Security Alert addresses CVE-2014-0160 (‘Heartbleed’), a publicly disclosed vulnerability which affects multiple OpenSSL versions implemented by various vendors in their products. This vulnerability affects multiple Oracle products. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality of systems that are running affected versions of OpenSSL. According to http://heartbleed.com, the compromised data may contain passwords, private keys, and other sensitive information. In some instances, this information could be used by a malicious attacker to log into systems using a stolen identity or decrypt private information that was sent months or years ago.

 

Due to the severity, public disclosure and the reported exploitation of CVE-2014-0160 “in the wild,” Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.

 

Affected Products and Versions

Please refer to OpenSSL Security Bug – Heartbleed / CVE-2014-0160 for a list of Oracle products and versions that are affected by this vulnerability.

 

Note: The page, OpenSSL Security Bug – Heartbleed / CVE-2014-0160 will be updated when new information becomes available.

 

Patch Availability

Patch availability information related to vulnerability CVE-2014-0160 can be found on the OpenSSL Security Bug – Heartbleed / CVE-2014-0160 page. Note that in some instances, the instructions on this page or references from this page may include important steps to take before and after the application of the relevant patch.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.

Products in Extended Support

Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.

References

Modification History

Date Comments
2014-April-18 Rev 1. Initial Release

 

Appendix – Third Party Components Risk Matrix

Third Party Components Risk Matrix Executive Summary

This Security Alert addresses the Heartbleed vulnerability in the OpenSSL third party component as it relates to Oracle products.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  The English text form of this Risk Matrix can be found here.

Third Party Components Risk Matrix

CVE# Component Protocol Sub-
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2014-0160 OpenSSL Library SSL/TLS Heartbeat Extension Yes 5.0 Network Low None Partial None None 1.0.1 – 1.0.1f See Note 1

Security Alerts

Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update. The Security Alerts released since 2005 are listed in the following table. Click here for Security Alerts released before 2006. Security Advisory Notifications prior to July 2008 for BEA products are located hereSecurity Sun Alert notifications prior to April 2010 for Sun products are located here.

Security Alert Number And Description Latest Version/Date
Alert for CVE-2014-0160 Rev 1, 18 April 2014
Alert for CVE-2013-1493 Rev 1, 04 March 2013
Alert for CVE-2013-0422 Rev 1, 13 January 2013
Alert for CVE-2012-4681 Rev 1, 30 August 2012
Alert for CVE-2012-3132 Rev 1, 10 August 2012
Alert for CVE-2012-1675 Rev 1, 30 April 2012
Alert for CVE-2011-5035 Rev 2, 29 March 2012
Alert for CVE-2011-3192 Rev 1, 15 September 2011
Alert for CVE-2010-4476 Rev 1, 08 February 2011
Alert for CVE-2010-0886 Rev 2, 18 May 2010
Alert for CVE-2010-0073 Rev 1, 04 February 2010
Alert for CVE-2008-3257 Rev 3, 05 March 2009

 

Third Party Bulletin

Oracle has no control over the timing and content of security fixes created by third parties. Consequently, the Third Party Bulletin, rather than Oracle Critical Patch Update Advisories and Security Alerts has been used by Oracle as a mechanism to announce security fixes for third party software distributed with various Oracle Sun products.

The Third Party Patch Map lists security patches announced for third party software organized by Oracle products.

Public Vulnerabilities Fixed

The Map of Public Vulnerability to Advisory/Alert indicates which public vulnerabilities are fixed in each Critical Patch Update and Security Alert.

 

Notes:

  1. This vulnerability affects a number of Oracle products that include the affected OpenSSL libraries. See OpenSSL Security Bug – Heartbleed / CVE-2014-0160 for the list of affected products and current patch availability information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s