You can find current and future statements related to "Heartbleed" at the link below - please see section 6 for Eloqua. Current statement extracted and included below.
http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
6.0 Oracle Cloud, My Oracle Support and IT Systems
Oracle’s security and development teams are aware of the recently publicly disclosed vulnerability in certain versions of OpenSSL (a.k.a. CVE-2014-0160; or ‘Heartbleed’). Oracle is currently investigating the implications of this issue across the Oracle stack.
Cloud uses a “defense in depth” approach to security which provides risk mitigation due to layered controls. It appears that both externally and internally (private) accessible applications hosted in Oracle Cloud Data Centers are currently not at risk from this vulnerability, due to Oracle’s network architecture and use of SSL accelerators that are not known to be vulnerable to CVE-2014-0160. We continue our analysis across our My Oracle Support and IT infrastructure and will update you as we have more information.
We have assessed our infrastructure using a number of automated and manual tests and continue to believe that environments hosted in Oracle Cloud Data Centers are not currently at risk from the CVE-2014-0160 vulnerability.
Oracle Cloud Services that have successfully passed our assessment include:
- Oracle Public Cloud
- RightNow
- Big Machines
- Eloqua
- Responsys