MarkLogic Corporation Information for VU#720951

OpenSSL TLS heartbeat extension read overflow discloses sensitive information

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Recently a serious security vulnerability was discovered in the OpenSSL
cryptographic software
library. MarkLogic application servers can be configured to use SSL, and
MarkLogic uses OpenSSL to
provide this capability. A patch to OpenSSL has been released to address
this vulnerability, and
MarkLogic has built patches for all impacted MarkLogic versions with
OpenSSL 1.0.1g to incorporate
this new fix.



Impacted Versions



The following versions of MarkLogic are impacted by this vulnerability:

MarkLogic 5.0-5 through 5.0-6

All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)

All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2),
including the MarkLogic AMIs



MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that
does not have this
vulnerability.



How to Patch



We recommend that customers who are using SSL patch their systems
immediately. To do this:

1. Upgrade your cluster to the patch release, available at
http://developer.marklogic.com/products.

Patch release versions are as follows:

o MarkLogic 5.0-6.1

o MarkLogic 6.0-5.1

o MarkLogic 7.0-2.3

2. Regenerate all SSL certificates for your cluster. This is
necessary because the
vulnerability is such that private keys for your certificates are
potentially compromised. See
“Configuring SSL on App Servers” in the documentation:

o MarkLogic 5 documentation:
http://docs.marklogic.com/5.0/guide/admin/SSL#chapter

o MarkLogic 6 documentation:
http://docs.marklogic.com/6.0/guide/admin/SSL#chapter

o MarkLogic 7 documentation:
http://docs.marklogic.com/guide/admin/SSL#chapter

3. If you are using BASIC or Application Level Authentication over
SSL, have all your
users change their passwords after you've patched and deployed new SSL
certificates. This includes
both internal users in our security database, and anyone using external
authentication (which
requires BASIC authentication over SSL). This is necessary because the
vulnerability may have
resulted in password leaks.



If you have any questions about how to patch, feel free to contact
support@marklogic.com.



More information about the heartbleed vulnerability can be found at
http://heartbleed.com or
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.