{"id":1673,"date":"2014-04-13T12:00:38","date_gmt":"2014-04-13T10:00:38","guid":{"rendered":"http:\/\/www.oradba.ch\/?p=1673"},"modified":"2014-04-16T07:54:58","modified_gmt":"2014-04-16T05:54:58","slug":"oracle-and-openssl-heartbleed-vulnerability","status":"publish","type":"post","link":"https:\/\/www.oradba.ch\/wordpress\/2014\/04\/oracle-and-openssl-heartbleed-vulnerability\/","title":{"rendered":"Oracle and OpenSSL &#8216;Heartbleed&#8217; vulnerability"},"content":{"rendered":"<p>Earlier this week the OpenSSL Project as well US-CERT informed about a Security Vulnerability in OpenSSL. See <a href=\"http:\/\/www.openssl.org\/news\/secadv_20140407.txt\" target=\"_blank\">OpenSSL Security Advisory<\/a> or US-CERT <a href=\"https:\/\/www.us-cert.gov\/ncas\/alerts\/TA14-098A\" target=\"_blank\">Alert (TA14-098A)<\/a> The vulnerability may affect Oracle Products as well, since some of them do use OpenSSL. So far Oracle did not provide dedicate information on it&#8217;s public <a href=\"http:\/\/www.oracle.com\/technetwork\/topics\/security\/alerts-086861.html\" target=\"_blank\">Critical Patch Updates and Security Alerts<\/a> web page. But there is a MOS Note <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=1645479.1\" target=\"_blank\">1645479.1<\/a> <em>OpenSSL Security Bug-Heartbleed<\/em>, which contains a list of affected products. It seems to get regularly updated. Nevertheless you have to open a service request to get information on possible workarounds or get a patch.<\/p>\n<p>Fortunately not all products always use the latest versions. Thus, in Oracle Audit Vault and Database Firewall still OpenSSL 0.9.8 in use. <\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\">\n[support@melete ~]$ openssl version\nOpenSSL 0.9.8e-fips-rhel5 01 Jul 2008\n<\/pre>\n<h3>References<\/h3>\n<p>Some links related to the OpenSSL Heartbleed issues.<\/p>\n<ul>\n<li><i>OpenSSL Security Bug-Heartbleed <a href=\"https:\/\/support.oracle.com\/CSP\/main\/article?cmd=show&#038;type=NOT&#038;id=1645479.1\" target=\"_blank\">[1645479.1]<\/a><\/i><\/li>\n<li><i>Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products <a href=\"https:\/\/support.oracle.com\/CSP\/main\/article?cmd=show&#038;type=NOT&#038;id=1074055.1\" target=\"_blank\">[1074055.1]<\/a><\/i><\/li>\n<li><a href=\"http:\/\/www.openssl.org\/news\/secadv_20140407.txt\" target=\"_blank\">OpenSSL Security Advisory<\/a><\/li>\n<li>US-CERT <a href=\"https:\/\/www.us-cert.gov\/ncas\/alerts\/TA14-098A\" target=\"_blank\">Alert (TA14-098A)<\/a> <\/li>\n<li><a href=\"http:\/\/www.oracle.com\/technetwork\/topics\/security\/alerts-086861.html\" target=\"_blank\">Critical Patch Updates and Security Alerts<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Earlier this week the OpenSSL Project as well US-CERT informed about a Security Vulnerability in OpenSSL. See OpenSSL Security Advisory or US-CERT Alert (TA14-098A) The vulnerability may affect Oracle Products as well, since some of them do use OpenSSL. So far Oracle did not provide dedicate information on it&#8217;s public Critical Patch Updates and Security [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"Oracle and OpenSSL 'Heartbleed' vulnerability http:\/\/wp.me\/p1aErb-qZ #trivadis","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[83,85,11],"tags":[111],"class_list":["post-1673","post","type-post","status-publish","format-standard","hentry","category-12cr1","category-audit-vault-and-database-firewall","category-security","tag-tvdsecexpert"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1aErb-qZ","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1682,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/04\/update-oracle-and-openssl-heartbleed-vulnerability\/","url_meta":{"origin":1673,"position":0},"title":"Update: Oracle and OpenSSL &#8216;Heartbleed&#8217; vulnerability","author":"Stefan","date":"16. April 2014","format":false,"excerpt":"While writing a post about the new Critical Patch Advisory I've discovered, that Oracle made the Information about the OpenSSL Vulnerability publicly available. The information in MOS Note 1645479.1 has been moved to OpenSSL Security Bug - Heartbleed CVE-2014-0160. Until now it looks like that Oracle Databases are not affected\u2026","rel":"","context":"In &quot;11gR2&quot;","block_context":{"text":"11gR2","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1680,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/04\/oracle-released-cpu-psu-april-2013\/","url_meta":{"origin":1673,"position":1},"title":"Oracle released CPU \/ PSU April 2014","author":"Stefan","date":"16. April 2014","format":false,"excerpt":"As announced last week in my post Oracle CPU \/ PSU Pre-Release Announcement April 2014, Oracle has now released the Critical Patch Updates for April 2014. Overall this CPU contains 104 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For\u2026","rel":"","context":"In &quot;11gR1&quot;","block_context":{"text":"11gR1","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr1\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":13925,"url":"https:\/\/www.oradba.ch\/wordpress\/2023\/09\/oracle-sqlnet-tls-configuration-simplified\/","url_meta":{"origin":1673,"position":2},"title":"Oracle SQLNet TLS configuration simplified","author":"Stefan","date":"12. September 2023","format":false,"excerpt":"Most security measures for Oracle databases are usually aimed at protecting and hardening the database itself. This includes secure configuration, implementation of the least privilege principle, reduction of the attack surface, encryption at REST, database audit and much more. Sometimes, however, it is forgotten that the database also communicates with\u2026","rel":"","context":"In &quot;Howto&quot;","block_context":{"text":"Howto","link":"https:\/\/www.oradba.ch\/wordpress\/category\/howto\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.oradba.ch\/wordpress\/wp-content\/uploads\/ca_list.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":1671,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/04\/oracle-cpu-psu-pre-release-announcement-april-2014\/","url_meta":{"origin":1673,"position":3},"title":"Oracle CPU \/ PSU Pre-Release Announcement April 2014","author":"Stefan","date":"11. April 2014","format":false,"excerpt":"Today Oracle has published the Pre-Release Announcement of the CPU Advisory for April 2014. This Critical Patch Update contains 103 new security vulnerability fixes for several Oracle products. There are only a few days since the publication of the vulnerability CVE-2014-0160 known as \"Heartbleed\". Therefore I assume, that this patch\u2026","rel":"","context":"In &quot;11gR1&quot;","block_context":{"text":"11gR1","link":"https:\/\/www.oradba.ch\/wordpress\/category\/oracle-database\/11gr1\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":291,"url":"https:\/\/www.oradba.ch\/wordpress\/2011\/01\/oracle-critical-patch-update-january-2011\/","url_meta":{"origin":1673,"position":4},"title":"Oracle Critical Patch Update January 2011","author":"Stefan","date":"23. January 2011","format":false,"excerpt":"Oracle released the January Critical Patch Update. Over all it includes 66 fixes, 7 out of them are just for Oracle Database Server (Database Server, Secure Backup, Audit Vault).","rel":"","context":"In &quot;Critical Patch Update&quot;","block_context":{"text":"Critical Patch Update","link":"https:\/\/www.oradba.ch\/wordpress\/category\/patches\/cpu\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1887,"url":"https:\/\/www.oradba.ch\/wordpress\/2014\/10\/oracle-software-appliances-and-bash-shellshock\/","url_meta":{"origin":1673,"position":5},"title":"Oracle Software Appliances and Bash Shellshock","author":"Stefan","date":"2. October 2014","format":false,"excerpt":"Late September a vulnerability in the bash Shell has been published. The vulnerability also known as shellshock, was classified as extremely critical. Anyway, in the meantime security patch has been released for the different operating systems and bash implementations. A bugfix is also available for Oracle Enterprise Linux, which is\u2026","rel":"","context":"In &quot;AVDF&quot;","block_context":{"text":"AVDF","link":"https:\/\/www.oradba.ch\/wordpress\/category\/audit\/avdf\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/comments?post=1673"}],"version-history":[{"count":5,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1673\/revisions"}],"predecessor-version":[{"id":1679,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/posts\/1673\/revisions\/1679"}],"wp:attachment":[{"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/media?parent=1673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/categories?post=1673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oradba.ch\/wordpress\/wp-json\/wp\/v2\/tags?post=1673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}