Oracle E-Business Suite environments may or may not be vulnerable to the “Heartbleed” OpenSSL vulnerability (CVE-2014-0160) depending on the deployment architecture. Oracle has released guidance in Oracle Support Note ID 1645479.1 “OpenSSL Security Bug-Heartbleed” (support login required) unequivocally stating Oracle E-Business Suite is not vulnerable. However, many Oracle E-Business Suite environments are architected in such a way that SSL termination is not performed on the Oracle E-Business Suite application servers, rather SSL termination is performed by load balancers, reverse proxies, or SSL accelerators. The Oracle E-Business Suite environment architecture must be reviewed to determine where the SSL termination point is.
- If the SSL termination point is the Oracle E-Business Suite application server using the bundled application server components (Oracle Application Server or Oracle Fusion Middleware), then the Oracle E-Business Suite environment is not vulnerable as older non-vulnerable versions of OpenSSL are used or non-OpenSSL components are used depending the version of Oracle E-Business Suite.
- If the SSL termination point is a load balancer, reverse proxy, or SSL accelerator, then the environment MAY BE VULNERABLE to the Heartbleed OpenSSL vulnerability. There are multiple recommended and often deployed products, such as F5 Big-IP and Apache with OpenSSL, which are vulnerable.
For more information, please see Integrigy's in-depth security analysis of the Heartbleed vulnerability impact on Oracle E-Business Suite.
|Integrigy - Heartbleed (CVE-2014-0160) and Oracle E-Business Suite Impact v3.pdf||135.03 KB|