Possibly one of the biggest security threats in the Internet’s history, the Heartbleed bug
(Technical ID: CVE-2014-0160) is a flaw that hackers can take advantage of to obtain unauthorized access to your online accounts potentially granting them access to sensitive information such as emails, private financial data, personal data, passwords, and credit card information.
Even more concerning is that exploitation of this bug does not leave any trace of anything abnormal happening to system logs.
This can affect your servers, desktops, laptops,and mobile/tablet devices.
On the brighter side, many service providers and software vendors (Google, Amazon, Microsoft, Oracle, etc.) have issued a public statement on their position, steps that have or will take, and what actions, if any, the affected individual or organization must take.
Here is what we have found out so far as it relates to Oracle Hyperion EPM Suite of products:
Oracle products that, while using OpenSSL, were not subject to CVE-2014-0160:
- Hyperion BI
Hyperion Essbase [Product ID 4379]
- Oracle WebLogic Web Server Plug-In 1.0 [Product ID 5242/PLUGIN]
Oracle products still under investigation, which may be vulnerable to CVE-2014-0160:
- Oracle Reports [Product ID 159] *Oracle Fusion Middleware
Products That Do Not Include OpenSSL:
- Microsoft Windows Server IIS component (read more here)
- Oracle Database [Product ID 5]
- Oracle WebLogic Server [Product ID 5242]
- Oracle WebLogic Web Server Plug-In 1.1+, 11g, 12c [Product ID 5242/PLUGIN_NZ]
Note: if your EPM platform contains a load balancer product, you should confirm with the vendor
for a for a more complete listing of Oracle products and their position / status.
This is not intended to be an exhaustive list, but a starting point for your own Heartbleed vulnerability assessment.