Important MarkLogic security update for CVE-2014-0160 (heartbleed) vulnerability

Recently a serious security vulnerability was discovered in the OpenSSL cryptographic software library. MarkLogic application servers can be configured to use SSL, and MarkLogic uses OpenSSL to provide this capability. A patch to OpenSSL has been released to address this vulnerability, and MarkLogic has built patches for all impacted MarkLogic versions with OpenSSL 1.0.1g to incorporate this new fix.

Impacted Versions

The following versions of MarkLogic are impacted by this vulnerability:

  • MarkLogic 5.0-5 through 5.0-6
  • All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)
  • All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2), including the MarkLogic AMIs

MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that does not have this vulnerability.

How to Patch

We recommend that customers who are using SSL patch their systems immediately. To do this:

  1. Upgrade your cluster to the patch release, available at http://developer.marklogic.com/products. Patch release versions are as follows:
    • MarkLogic 5.0-6.1
    • MarkLogic 6.0-5.1
    • MarkLogic 7.0-2.3
  2. Regenerate all SSL certificates for your cluster. This is necessary because the vulnerability is such that private keys for your certificates are potentially compromised. See “Configuring SSL on App Servers” in the documentation:
  3. If you are using BASIC or Application Level Authentication over SSL, have all your users change their passwords after you’ve patched and deployed new SSL certificates. This includes both internal users in our security database, and anyone using external authentication (which requires BASIC authentication over SSL). This is necessary because the vulnerability may have resulted in password leaks.

If you have any questions about how to patch, feel free to contact support@marklogic.com.

More information about the heartbleed vulnerability can be found at http://heartbleed.com or https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.