MarkLogic Corporation Information for VU#720951

OpenSSL TLS heartbeat extension read overflow discloses sensitive information



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Recently a serious security vulnerability was discovered in the OpenSSL
cryptographic software
library. MarkLogic application servers can be configured to use SSL, and
MarkLogic uses OpenSSL to
provide this capability. A patch to OpenSSL has been released to address
this vulnerability, and
MarkLogic has built patches for all impacted MarkLogic versions with
OpenSSL 1.0.1g to incorporate
this new fix.

Impacted Versions

The following versions of MarkLogic are impacted by this vulnerability:

MarkLogic 5.0-5 through 5.0-6

All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)

All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2),
including the MarkLogic AMIs

MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that
does not have this

How to Patch

We recommend that customers who are using SSL patch their systems
immediately. To do this:

1. Upgrade your cluster to the patch release, available at

Patch release versions are as follows:

o MarkLogic 5.0-6.1

o MarkLogic 6.0-5.1

o MarkLogic 7.0-2.3

2. Regenerate all SSL certificates for your cluster. This is
necessary because the
vulnerability is such that private keys for your certificates are
potentially compromised. See
“Configuring SSL on App Servers” in the documentation:

o MarkLogic 5 documentation:

o MarkLogic 6 documentation:

o MarkLogic 7 documentation:

3. If you are using BASIC or Application Level Authentication over
SSL, have all your
users change their passwords after you've patched and deployed new SSL
certificates. This includes
both internal users in our security database, and anyone using external
authentication (which
requires BASIC authentication over SSL). This is necessary because the
vulnerability may have
resulted in password leaks.

If you have any questions about how to patch, feel free to contact

More information about the heartbleed vulnerability can be found at or

Vendor References



There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.