Oracle Security Alert for CVE-2014-0160
Description
This Security Alert addresses CVE-2014-0160 (Heartbleed), a publicly disclosed vulnerability which affects multiple OpenSSL versions implemented by various vendors in their products. This vulnerability affects multiple Oracle products. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality of systems that are running affected versions of OpenSSL. According to http://heartbleed.com, the compromised data may contain passwords, private keys, and other sensitive information. In some instances, this information could be used by a malicious attacker to log into systems using a stolen identity or decrypt private information that was sent months or years ago.
Due to the severity, public disclosure and the reported exploitation of CVE-2014-0160 "in the wild," Oracle strongly recommends that customers apply the fixes provided by this Security Alert as soon as they are released by Oracle.
Affected Products and Versions
Please refer to OpenSSL Security Bug - Heartbleed / CVE-2014-0160 for a list of Oracle products and versions that are affected by this vulnerability.
Note: The page, OpenSSL Security Bug - Heartbleed / CVE-2014-0160 will be updated when new information becomes available.
Patch Availability
Patch availability information related to vulnerability CVE-2014-0160 can be found on the OpenSSL Security Bug - Heartbleed / CVE-2014-0160 page. Note that in some instances, the instructions on this page or references from this page may include important steps to take before and after the application of the relevant patch.
Supported Products and Versions
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by this vulnerability.
Products in Extended Support
Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.
References Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ] Oracle Security Alert CVE-2014-0160 Affected Products and Patch Availability Document [ OpenSSL Security Bug - Heartbleed / CVE-2014-0160 ] English text version of the risk matrix [ Oracle Technology Network ] CVRF XML version of the risk matrix [ Oracle Technology Network ] Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ] Risk Matrix definitions [ Risk Matrix Definitions ] Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ] List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ] Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]Modification History
Appendix - Third Party Components Risk Matrix
Third Party Components Risk Matrix Executive Summary
This Security Alert addresses the Heartbleed vulnerability in the OpenSSL third party component as it relates to Oracle products. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Third Party Components Risk MatrixNotes:
This vulnerability affects a number of Oracle products that include the affected OpenSSL libraries. See OpenSSL Security Bug - Heartbleed / CVE-2014-0160 for the list of affected products and current patch availability information.安装oracle11g时,Enterprise Manager配置成功,出现以下警告…… 安装oracle11g时,Enterprise Manager配置成功,出现以下警告…… 安装oracle11g时,在创建了数据库之后,安装快结束时,弹出窗口请执行以下命令。 1) 将环境变量ORACLE_UNQNAME 设置为 数据库的唯一名称 2) E:\app\Administrator\product\11.
oracle INTERNAL_FUNCTION 当执行计划出现INTERNAL_FUNCTION的时候索引肯定失效,这里可以理解为隐士转换。 我们来看看官方文档,oracle叫他 Function Calls
[20151110]oracle可以启用多少role.txt [20151110]oracle可以启用多少role.txt --链接http://blog.itpub.net/4227/viewspace-676078/ Oracle在启用用户的角色时,最多允许启用148个。
prudentwoo 10g/11g OCP 11g OCM,ITPUB和CSDN专家及专家讲师;有着多年数据库从业经验,资深Oracle数据库专家,现就职于北京海量数据技术股份有限公司担任高级dba职务,为央视,银行,电信等各行业及企业提供过技术支持服务
相关文章
- grid用户下oracle文件属性改变导致无法启动实例
- Oracle 11gR2静默安装 & 命令行安装
- locked (a oracle.jdbc.driver.T4CConnection
- 续:纠正:ubuntu 【6.04 LTS】可以安装安装 ! for《Oracle-10.2.0.1,打补丁10.2.0.5:在 debian 版本4【不含4】以上,及 ubuntu 7.04【不含7.04】以上都可以安装!》
- Oracle:oracle 12.1.0.2 升级到12.2.0.1 后,自动任务报错:ORA-20001: Statistics Advisor: Invalid task name for the current user
- Oracle中varchar2(XX)和varchar2(XX byte)区别
- Oracle Database CHECK NUMBER For tables/views/triggers/function/procedure
- Oracle之批量生成数据
- Oracle Application Object Library AOL/J Setup Test Suite
- oracle relink
- oracle中的dual表详解
- LightDB Enterprise Postgres for Oracle开发指南