The OpenSSL build version is pretty easy to find: $ strings ~/Library/MarkLogic/lib/libssl.* | grep -i openssl | head -1 SSLv2 part of OpenSSL 1.0.1e-fips 11 Feb 2013
That's 7.0-2.2 for OSX but I imagine all current releases are the same. With SSL enabled on a test server, https://github.com/titanous/heartbleeder says: $ heartbleeder localhost:8443 VULNERABLE(localhost:8443) - has the heartbeat extension enabled and is vulnerable to CVE-2014-0160 No doubt MarkLogic is working on new release. -- Mike On 10 Apr 2014, at 10:31 , Sergio Restrepo <[email protected]> wrote: > Hello, > > I have gotten a couple of requests from some of our customers to check on > heartbleed (http://heartbleed.com/) vulnerability in several of our > applications. > > While we do not use HTTPS in most of our services, the documentation > (http://docs.marklogic.com/guide/admin/SSL#id_58562) does state MarkLogic > uses OpenSSL to implement SSL/TLS. > > Do you have any insight as to what version of OpenSSL is embedded in > MarkLogic and if that is vulnerable to heartbleed? > > Thanks > > SERGIO RESTREPO VP, Architecture > Yuxi Pacific LLC, 4393 Digital Way Mason, OH 45040 > [email protected] > Office: 484-598-3729 > Skype: yuxi-sergio > > > <image001.png> <image002.png> <image003.png> <image004.png> > > <image010.png> > > _______________________________________________ > General mailing list > [email protected] > http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
