Gartner Cloud DBMS Report Names MarkLogic a Visionary

Important MarkLogic security update for CVE-2014-0160 (heartbleed) vulnerability

Recently a serious security vulnerability was discovered in the OpenSSL cryptographic software library. MarkLogic application servers can be configured to use SSL, and MarkLogic uses OpenSSL to provide this capability. A patch to OpenSSL has been released to address this vulnerability, and MarkLogic has built patches for all impacted MarkLogic versions with OpenSSL 1.0.1g to incorporate this new fix.

Impacted Versions

The following versions of MarkLogic are impacted by this vulnerability:

  • MarkLogic 5.0-5 through 5.0-6
  • All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)
  • All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2), including the MarkLogic AMIs

MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that does not have this vulnerability.

How to Patch

We recommend that customers who are using SSL patch their systems immediately. To do this:

  1. Upgrade your cluster to the patch release, available at http://developer.marklogic.com/products. Patch release versions are as follows:
    • MarkLogic 5.0-6.1
    • MarkLogic 6.0-5.1
    • MarkLogic 7.0-2.3
  2. Regenerate all SSL certificates for your cluster. This is necessary because the vulnerability is such that private keys for your certificates are potentially compromised. See “Configuring SSL on App Servers” in the documentation:
  3. If you are using BASIC or Application Level Authentication over SSL, have all your users change their passwords after you’ve patched and deployed new SSL certificates. This includes both internal users in our security database, and anyone using external authentication (which requires BASIC authentication over SSL). This is necessary because the vulnerability may have resulted in password leaks.

If you have any questions about how to patch, feel free to contact support@marklogic.com.

More information about the heartbleed vulnerability can be found at http://heartbleed.com or https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.

Start a discussion

Connect with the community

STACK OVERFLOW

EVENTS

GITHUB COMMUNITY

Most Recent

View All

Digital Acceleration Series: Powering MDM with MarkLogic

Our next event series covers key aspects of MDM including data integration, third-party data, data governance, and data security -- and how MarkLogic brings all of these elements together in one future-facing, agile MDM data hub.
Read Article

Of Data Warehouses, Data Marts, Data Lakes … and Data Hubs

New technology solutions arise in response to new business needs. Learn why a data hub platform makes the most sense for complex data.
Read Article

5 Key Findings from MarkLogic-Sponsored Financial Data Leaders Study

Financial institutions differ in their levels of maturity in managing and utilizing their enterprise data. To understand trends and winning strategies in getting the greatest value from this data, we recently co-sponsored a survey with the Financial Information Management WBR Insights research division.
Read Article
This website uses cookies.

By continuing to use this website you are giving consent to cookies being used in accordance with the MarkLogic Privacy Statement.