OpenSSL Heartbleed (CVE-2014-0160) and Oracle E-Business Suite Impact
Integrigy has completed an in-depth security analysis of the "Heartbleed" vulnerability in OpenSSL (CVE-2014-0160) and the impact on Oracle E-Business Suite 11i (11.5) and R12 (12.0, 12.1, and 12.2) environments. The key issue is where in the environment is the SSL termination point both for internal and external communication between the client browser and application servers.
1. If the SSL termination point is the Oracle E-Business Suite application servers, then the environment is not vulnerable as stated in Oracle's guidance (Oracle Support Note ID 1645479.1 “OpenSSL Security Bug-Heartbleed” [support login required]).
2. If the SSL termination point is a load balancer or reverse proxy, then the Oracle E-Business Suite environment MAY BE VULNERABLE to the Heartbleed vulnerability. Environments using load balancers, like F5 Big-IP, or reverse proxies, such as Apache mod_proxy or BlueCoat, may be vulnerable depending on software versions.
Integrigy's detailed analysis of use of OpenSSL in Oracle E-Business Environments is available here -
OpenSSL Heartbleed (CVE-2014-0160) and the Oracle E-Business Suite Impact Analysis
Please let us know if you have any questions or need additional information at info@integrigy.com.