Oracle updates users on Heartbleed progress

The Heartbleed fallout continues, but enterprise customers can draw some comfort from the fact that the companies that keep them in software are clearly as concerned as they are. For example, Oracle Corp. has announced mostly good, some bad and a bit of ugly news when it comes to security holes in its products.

The company has updated its user community on the security status of its long list of software products.

The latest version, issued Sunday in post on the Oracle web site lists:

  • products that never used OpenSSL versions reported to be vulnerable;
  • products still under investigation, which may be vulnerable;
  • products that are likely vulnerable but have fixes available;
  • products that are likely vulnerable but for which no fixes are currently available;
  • products that do not include OpenSSL in their default distribution; and
  • the status of Oracle Cloud, My Oracle Support and IT Systems.

Oracle doesn’t use the name “Heartbleed” much, instead referring to the bug by its technical moniker CVE-2014-0160. The company says more than 100 of its products are secure as they did not employ the specific OpenSSL version affected by the flaw, or didn’t even use OpenSSL at all. Oracle says it’s still checking out about 20 products for vulnerabilities, including MySQL Connector/C++, Oracle SOA Suite and Nimbula Director.

Oracle has fixes for 14 products that contain vulnerabilities. These include:

MySQL Connector/C 6.1.0-6.1.3;m MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6, 5.3.2;
MySQL Enterprise Backup 3.10.0; MySQL Enterprise Monitor 2.3.13-2.3.15, 3.0.0-3.0.8; MySQL Enterprise Server 5.6.11-5.6.17; MySQL Workbench 6.1.4 and earlier; Oracle Big Data Appliance (includes Oracle Linux 6); Oracle Communications Interactive Session Recorder 4.0.0 and later;Oracle Communications Network Charging and Control 5.0.1; Oracle Communications Session Monitor Suite 3.3.40, 3.3.5; Oracle Linux 6; Oracle Mobile Security Suite; Oracle Virtual Compute Appliance Software and some implementations of  Solaris 11.2.

Another 14 products are likely to be vulnerable, but at the time of writing Oracle [Nasdaq: ORCL]  didn’t have fixes for them yet: These included Java ME — JRSs and Optional Package; Java ME — Mobile and Wireless; Oracle Communications ASAP, Primavera P6 Professional Project Management; Tape OEM Drive for HP LT-06; Oracle Communications Session Delivery Management Suite NNC 7.3; Oracle Explorer, and others.

As for the Oracle Cloud, the company says in its latest post that it has assessed that the infrastructure, systems and applications that it uses  are not at risk from this vulnerability. It has also used  automated and manual tests which back up this belief.  However, it adds that customers need to contact supplies of  software and services not managed by Oracle Cloud.

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web