Oracle E-Business Suite environments may or may not be vulnerable to the “Heartbleed” OpenSSL vulnerability (CVE-2014-0160) depending on the deployment architecture.  Oracle has released guidance in Oracle Support Note ID 1645479.1 “OpenSSL Security Bug-Heartbleed” (support login required) unequivocally stating Oracle E-Business Suite is not vulnerable.  However, many Oracle E-Business Suite environments are architected in such a way that SSL termination is not performed on the Oracle E-Business Suite application servers, rather SSL termination is performed by load balancers, reverse proxies, or SSL accelerators.  The Oracle E-Business Suite environment architecture must be reviewed to determine where the SSL termination point is.

  • If the SSL termination point is the Oracle E-Business Suite application server using the bundled application server components (Oracle Application Server or Oracle Fusion Middleware), then the Oracle E-Business Suite environment is not vulnerable as older non-vulnerable versions of OpenSSL are used or non-OpenSSL components are used depending the version of Oracle E-Business Suite.
  • If the SSL termination point is a load balancer, reverse proxy, or SSL accelerator, then the environment MAY BE VULNERABLE to the Heartbleed OpenSSL vulnerability.  There are multiple recommended and often deployed products, such as F5 Big-IP and Apache with OpenSSL, which are vulnerable.

For more information, please see Integrigy's in-depth security analysis of the Heartbleed vulnerability impact on Oracle E-Business Suite.

Tags: 
Vulnerability, DMZ/External, Oracle E-Business Suite