As the dominoes continue to fall around Heartbleed, Oracle is doing its best to keep users apprised of its ongoing efforts to patch software that may be vulnerable to the OpenSSL vulnerability.
In a document updated early this morning Oracle gave its customers five separate updates regarding:
- Products that were never vulnerable to Heartbleed
- Products still under investigation that may be vulnerable to Heartbleed
- Products that are “likely” vulnerable to Heartbleed that have fixes
- Products that are “likely” vulnerable to Heartbleed that have no current fixes
- Products that do not use OpenSSL and
- An update regarding Oracle Cloud
Most of the updates given by Oracle refer to Heartbleed not by its buzzy nickname but by its official Common Vulnerabilities and Exposures number, CVE-2014-0160.
More than 100 products – managers, gateways, switches and systems, etc. – were ruled safe by the company, mostly because they don’t run a version of OpenSSL that was ruled vulnerable to the CVE-2014-0160 instability.
Elsewhere developers at the company are reportedly still looking into whether or not 10 different products, notably those that use the company’s Art Technology Group and Corente technology, are vulnerable to Heartbleed. Information for those products is still forthcoming.
Fourteen products, mostly those that rely on MySQL, Oracle’s Big Data Appliance and its Mobile Security Suite have been patched so far. The company is posting as soon as each product is remedied and then linking to their respective support sections.
Conversely, 11 products, including some builds of Java ME and five iterations of its Communications suite, are branded as “likely” vulnerable but no fixes are yet available.
Lastly, the company claims its still unsure of how Heartbleed affects products that rely on its Cloud computing technology but that it’s “investigating the implications of this issue across the Oracle stack.” The bulk of cloud service products, including its Public Cloud, Managed Cloud Services and Cloud for Industry, are free of vulnerabilities but other services have been deemed “under investigation.”
Oracle points out that the document should be considered as fluid and will continue to be updated as fixes and further mitigation instructions become available. Until then the patch and vulnerability information should be taken on an “AS-IS” basis.
End users who deploy a variety of Oracle products on their networks have no doubt had their hands full with patches as of late. The Heartbleed update comes just a few days after the company’s regularly scheduled quarterly Critical Patch Update. That update resolved more than 100 security issues across Java SE, along with the company’s Database and Fusion Middleware.