We’ve joined forces with Smartlogic to reveal smarter decisions—together.

Important MarkLogic security update for CVE-2014-0160 (heartbleed) vulnerability

Recently a serious security vulnerability was discovered in the OpenSSL cryptographic software library. MarkLogic application servers can be configured to use SSL, and MarkLogic uses OpenSSL to provide this capability. A patch to OpenSSL has been released to address this vulnerability, and MarkLogic has built patches for all impacted MarkLogic versions with OpenSSL 1.0.1g to incorporate this new fix.

Impacted Versions

The following versions of MarkLogic are impacted by this vulnerability:

  • MarkLogic 5.0-5 through 5.0-6
  • All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)
  • All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2), including the MarkLogic AMIs

MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that does not have this vulnerability.

How to Patch

We recommend that customers who are using SSL patch their systems immediately. To do this:

  1. Upgrade your cluster to the patch release, available at http://developer.marklogic.com/products. Patch release versions are as follows:
    • MarkLogic 5.0-6.1
    • MarkLogic 6.0-5.1
    • MarkLogic 7.0-2.3
  2. Regenerate all SSL certificates for your cluster. This is necessary because the vulnerability is such that private keys for your certificates are potentially compromised. See “Configuring SSL on App Servers” in the documentation:
  3. If you are using BASIC or Application Level Authentication over SSL, have all your users change their passwords after you’ve patched and deployed new SSL certificates. This includes both internal users in our security database, and anyone using external authentication (which requires BASIC authentication over SSL). This is necessary because the vulnerability may have resulted in password leaks.

If you have any questions about how to patch, feel free to contact support@marklogic.com.

More information about the heartbleed vulnerability can be found at http://heartbleed.com or https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.

Start a discussion

Connect with the community

STACK OVERFLOW

EVENTS

GITHUB COMMUNITY

Most Recent

View All

Facts and What They Mean

In the digital era, data is cheap, interpretations are expensive. An agile semantic data platform combines facts and what they mean to create reusable organizational knowledge.
Read Article

Truth in ESG Labels

Managing a portfolio of investments for your client has never been simple - and doing so through an ESG lens raises the complexity to an almost mind-boggling level. Learn the signs your team has hit the wall with current tools - and how a semantic knowledge graph can help.
Read Article

4 Signs You’ve Got a Transaction Reconciliation Challenge

Many firms manage transaction reconciliation using smart people armed with spreadsheets - but that doesn't scale well. Learn what to look for, to know if you're creating new forms of risk for your firm.
Read Article
This website uses cookies.

By continuing to use this website you are giving consent to cookies being used in accordance with the MarkLogic Privacy Statement.