Important MarkLogic security update for CVE-2014-0160 (heartbleed) vulnerability

April 14, 2014 Data & AI, MarkLogic

Recently a serious security vulnerability was discovered in the OpenSSL cryptographic software library. MarkLogic application servers can be configured to use SSL, and MarkLogic uses OpenSSL to provide this capability. A patch to OpenSSL has been released to address this vulnerability, and MarkLogic has built patches for all impacted MarkLogic versions with OpenSSL 1.0.1g to incorporate this new fix.

Impacted Versions

The following versions of MarkLogic are impacted by this vulnerability:

  • MarkLogic 5.0-5 through 5.0-6
  • All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)
  • All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2), including the MarkLogic AMIs

MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that does not have this vulnerability.

How to Patch

We recommend that customers who are using SSL patch their systems immediately. To do this:

  1. Upgrade your cluster to the patch release, available at https://www.progress.com/marklogic/get-started. Patch release versions are as follows:
    • MarkLogic 5.0-6.1
    • MarkLogic 6.0-5.1
    • MarkLogic 7.0-2.3
  2. Regenerate all SSL certificates for your cluster. This is necessary because the vulnerability is such that private keys for your certificates are potentially compromised. See “Configuring SSL on App Servers” in the documentation:
  3. If you are using BASIC or Application Level Authentication over SSL, have all your users change their passwords after you’ve patched and deployed new SSL certificates. This includes both internal users in our security database, and anyone using external authentication (which requires BASIC authentication over SSL). This is necessary because the vulnerability may have resulted in password leaks.

If you have any questions about how to patch, feel free to contact support@marklogic.com.

More information about the heartbleed vulnerability can be found at http://heartbleed.com or https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.

David Gorbet

View all posts from David Gorbet on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.