The Heartbleed fallout continues, but enterprise customers can draw some comfort from the fact that the companies that keep them in software are clearly as concerned as they are. For example, Oracle Corp. has announced mostly good, some bad and a bit of ugly news when it comes to security holes in its products.
The company has updated its user community on the security status of its long list of software products.
The latest version, issued Sunday in post on the Oracle web site lists:
- products that never used OpenSSL versions reported to be vulnerable;
- products still under investigation, which may be vulnerable;
- products that are likely vulnerable but have fixes available;
- products that are likely vulnerable but for which no fixes are currently available;
- products that do not include OpenSSL in their default distribution; and
- the status of Oracle Cloud, My Oracle Support and IT Systems.
Oracle doesn’t use the name “Heartbleed” much, instead referring to the bug by its technical moniker CVE-2014-0160. The company says more than 100 of its products are secure as they did not employ the specific OpenSSL version affected by the flaw, or didn’t even use OpenSSL at all. Oracle says it’s still checking out about 20 products for vulnerabilities, including MySQL Connector/C++, Oracle SOA Suite and Nimbula Director.
Oracle has fixes for 14 products that contain vulnerabilities. These include:
MySQL Connector/C 6.1.0-6.1.3;m MySQL Connector/ODBC 5.1.13, 5.2.5-5.2.6, 5.3.2;
MySQL Enterprise Backup 3.10.0; MySQL Enterprise Monitor 2.3.13-2.3.15, 3.0.0-3.0.8; MySQL Enterprise Server 5.6.11-5.6.17; MySQL Workbench 6.1.4 and earlier; Oracle Big Data Appliance (includes Oracle Linux 6); Oracle Communications Interactive Session Recorder 4.0.0 and later;Oracle Communications Network Charging and Control 5.0.1; Oracle Communications Session Monitor Suite 3.3.40, 3.3.5; Oracle Linux 6; Oracle Mobile Security Suite; Oracle Virtual Compute Appliance Software and some implementations of Solaris 11.2.
Another 14 products are likely to be vulnerable, but at the time of writing Oracle [Nasdaq: ORCL] didn’t have fixes for them yet: These included Java ME — JRSs and Optional Package; Java ME — Mobile and Wireless; Oracle Communications ASAP, Primavera P6 Professional Project Management; Tape OEM Drive for HP LT-06; Oracle Communications Session Delivery Management Suite NNC 7.3; Oracle Explorer, and others.
As for the Oracle Cloud, the company says in its latest post that it has assessed that the infrastructure, systems and applications that it uses are not at risk from this vulnerability. It has also used automated and manual tests which back up this belief. However, it adds that customers need to contact supplies of software and services not managed by Oracle Cloud.