We’ve joined forces with Smartlogic to reveal smarter decisions—together.

Important MarkLogic security update for CVE-2014-0160 (heartbleed) vulnerability

Recently a serious security vulnerability was discovered in the OpenSSL cryptographic software library. MarkLogic application servers can be configured to use SSL, and MarkLogic uses OpenSSL to provide this capability. A patch to OpenSSL has been released to address this vulnerability, and MarkLogic has built patches for all impacted MarkLogic versions with OpenSSL 1.0.1g to incorporate this new fix.

Impacted Versions

The following versions of MarkLogic are impacted by this vulnerability:

  • MarkLogic 5.0-5 through 5.0-6
  • All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)
  • All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2), including the MarkLogic AMIs

MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that does not have this vulnerability.

How to Patch

We recommend that customers who are using SSL patch their systems immediately. To do this:

  1. Upgrade your cluster to the patch release, available at http://developer.marklogic.com/products. Patch release versions are as follows:
    • MarkLogic 5.0-6.1
    • MarkLogic 6.0-5.1
    • MarkLogic 7.0-2.3
  2. Regenerate all SSL certificates for your cluster. This is necessary because the vulnerability is such that private keys for your certificates are potentially compromised. See “Configuring SSL on App Servers” in the documentation:
  3. If you are using BASIC or Application Level Authentication over SSL, have all your users change their passwords after you’ve patched and deployed new SSL certificates. This includes both internal users in our security database, and anyone using external authentication (which requires BASIC authentication over SSL). This is necessary because the vulnerability may have resulted in password leaks.

If you have any questions about how to patch, feel free to contact support@marklogic.com.

More information about the heartbleed vulnerability can be found at http://heartbleed.com or https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.

Start a discussion

Connect with the community

STACK OVERFLOW

EVENTS

GITHUB COMMUNITY

Most Recent

View All

Unifying Data, Metadata, and Meaning

We're all drowning in data. Keeping up with our data - and our understanding of it - requires using tools in new ways to unify data, metadata, and meaning.
Read Article

How to Achieve Data Agility

Successfully responding to changes in the business landscape requires data agility. Learn what visionary organizations have done, and how you can start your journey.
Read Article

Scaling Memory in MarkLogic Server

This not-too-technical article covers a number of questions about MarkLogic Server and its use of memory. Learn more about how MarkLogic uses memory, why you might need more memory, when you need more memory, and how you can add more memory.
Read Article
This website uses cookies.

By continuing to use this website you are giving consent to cookies being used in accordance with the MarkLogic Privacy Statement.