Oracle and OpenSSL ‘Heartbleed’ vulnerability

Earlier this week the OpenSSL Project as well US-CERT informed about a Security Vulnerability in OpenSSL. See OpenSSL Security Advisory or US-CERT Alert (TA14-098A) The vulnerability may affect Oracle Products as well, since some of them do use OpenSSL. So far Oracle did not provide dedicate information on it’s public Critical Patch Updates and Security Alerts web page. But there is a MOS Note 1645479.1 OpenSSL Security Bug-Heartbleed, which contains a list of affected products. It seems to get regularly updated. Nevertheless you have to open a service request to get information on possible workarounds or get a patch.

Fortunately not all products always use the latest versions. Thus, in Oracle Audit Vault and Database Firewall still OpenSSL 0.9.8 in use.

[support@melete ~]$ openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

References

Some links related to the OpenSSL Heartbleed issues.