Last Updated: July 28, 2014 3:00PM CDT
The OpenSSL Security Advisory [05 Jun 2014] ("Advisory") disclosed OpenSSL security vulnerabilities. BMC Software is investigating the impact of the disclosed vulnerabilities to our products and services as well as our customer-facing portals.
The products in Table 1 below have been found to be vulnerable to the disclosed OpenSSL CCS Injection flaw. The planned remediation and expected availability date for each affected product is shown in the table. No products have been found to be vulnerable to the other flaws described in the advisory. This table will be updated as needed as the investigation progresses.
|BMC Bladelogic Decision Support for Server Automation 8.2.x, 8.3.x, and 8.5 (Windows + Linux + Solaris)||BDSSA 8.5 SP1 as well as patches for BDSSA 8.2.x, 8.3.x and 8.5 include OpenSSL 1.0.1h. All patches are available via ftp.|
|BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (220.127.116.116 and 18.104.22.1680)||Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)|
|BMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (22.214.171.1246 and 126.96.36.1990)||Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)|
|BMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (188.8.131.526 and 184.108.40.2060)||Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)|
|BMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (220.127.116.116 and 18.104.22.1680)||Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)|
|BMC Atrium Discovery and Dependency Mapping 8.3.x, 9.0.x, and 10.0.x||Updated OpenSSL included in OS update released June 20|
|BMC Atrium Discovery and Dependency Mapping Proxy 9.0.x||Updated OpenSSL included in 9.0 SP3 released July 1|
|BMC Atrium Discovery and Dependency Mapping Proxy 8.3.x and 10.0.x||Updated OpenSSL will be included in any future releases|
|BMC Atrium SSO||Please apply the OS update released June 20 to the ADDM appliance|
|BMC MainView Console Automation |
(all versions through 3.2)
|For versions 3.1 and 3.2: |
a Cumulative SSL Security patch released June 9 addresses this case; it fixes both the "Heartbleed" vulnerability and those disclosed in June.
Customers running earlier releases of MainView Console Automation should upgrade to version 3.2 before the patch can be installed.
|BMC Footprints Service Core 11.6.02 and prior||Updated OpenSSL for Tomcat included in the patch released July 16. Detailed remediation steps and a link to the patch are included in this article on the Footprints support site.|
|Aternity for BMC End User Experience Management Dashboards Server (all versions)||Updated OpenSSL included in Patch available July 15|
Although no other products have been found to be vulnerable to the OpenSSL CCS Injection flaw, some do include older versions of OpenSSL. As a precaution we will be upgrading OpenSSL libraries included in all our supported products as part of their next planned service pack or release, whichever occurs first.
BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL Security Advisory from June 5th.
Please bookmark this page, and check it periodically for the latest details.