Share:|

Last Updated: June 2, 2014 4:00PM CDT

 

BMC Software’s Application Security team is investigating the impact that the OpenSSL CVE-2014-0160 vulnerability has on the security posture of BMC products and services.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2014-0160 vulnerability.
Products Which Include Affected OpenSSLRemediation / Patches
BMC Atrium Discovery and Dependency Mapping 10.0
BMC Atrium Discovery and Dependency Mapping Proxy 10.0
BMC Atrium Discovery and Dependency Mapping 9.0 RedHat 6
BMC Atrium Discovery and Dependency Mapping Proxy 9.0
Fix available on BMC Electronic Product Distribution

 

Refer to this blog post for details and update instructions
BMC TrueSight Operations Management Suite Server 9.5Patches available from the BMC FTP site(see the readme file for details)
BMC Real End User Experience Monitoring
versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
Patch available through deviceupdates

 

See this document for details
BMC Real End User Experience Monitoring Hardware Collector
versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
Patch available through deviceupdates

 

See this document for details
BMC TrueSight End User Monitor 1200 Series
versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available through deviceupdates.

 

See this document for details
BMC TrueSight End User Monitor 4200 Series
versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available through deviceupdates

 

See this document for details
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software (Synthetic-EUEM) 15.0Fix available on BMC Electronic Product Distribution
BMC TMART 4.1 SP2, 4.2Fix available on BMC Electronic Product Distribution
BMC Bladelogic Decision Support for Server Automation
8.2.03, 8.2.04, 8.3, 8.3.01
Linux fixes available:
8.2.03, 8.2.04
8.3, 8.3.01

 

Solaris fixes available:
8.2.03, 8.2.04
8.3, 8.3.01

 

Windows versions not affected
BMC Bladelogic Decision Support for Server Automation
8.3.02, 8.3.03, 8.5

Linux fixes available
8.3.02, 8.3.03, 8.5

 

Solaris fixes available
8.3.02, 8.3.03, 8.5

 

Windows fixes available
8.3.02, 8.3.03, 8.5

BMC MainView Console Automation for zEnterprise 3.1, 3.2Fix available on BMC Electronic Product Distribution
Aternity for BMC End User Experience Management Dashboards Server (all versions)Fix available from Aternity

 

Click here for details
Entuity Network Monitoring for BMC TrueSight Operations Management V14.0Fix available from the Entuity web site

 

Please contact BMC Customer Support for access credentials
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2014-0160 vulnerability.
Products Which Do Not Include OpenSSLProducts Which Include Unaffected OpenSSL
BMC Atrium OrchestratorBMC Atrium Discovery and Dependency Mapping 9.0 RedHat 5
BMC Cloud Lifecycle ManagementBMC Remedy AR System 8.8
BMC Decision Support for Database AutomationBMC Remedy AR System and ITSM Suite 8.1
BMC Decision Support for Network AutomationBMC Remedy AR System and ITSM Suite 8.0
BMC Release Lifecycle managementBMC Remedy AR System and ITSM Suite 7.6.04
BMC MainView Console Management 2.12 and priorBMC Atrium CMDB
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC Footprints Service Core 11.6.02 and prior
BMC IMS for z/OS solutions
(all products and versions)
BMC Footprints Asset Core/BCM 11.6
BMC DB2 for z/OS solutions
(all products and versions)
BMC Footprints Asset Core/BCM 11.7
BMC Middleware AdministrationBMC Footprints Asset Core/BCM 12
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)BMC Remedy OnDemand (based on underlying Remedy and hosting environment tested)
BMC BladeLogic Client AutomationBMC Capacity Optimization and Performance Assurance
BMC AppSightBMC Middleware Management - Performance and Availability
BMC Identity ManagementBMC Middleware Management – Transaction Monitoring
BMC IT Business ManagementBMC TrueSight Operations Management Suite Server 9.0
BMC Network AutomationBMC Control-M 6.4
BMC Service Desk ExpressBMC Control-M 7.0
BMC Service Level ManagementBMC Control-M 8.0
BMC TrackIt!BMC Dashboard and Analytics
BMC MyIT (all versions)BMC Release Process Management
BMC RemedyForce (all versions)BMC Database Automation (BladeLogic)
BMC Footprints Service Core/Renoir 12BMC Server Automation (BladeLogic)
BMC Performance Manager PortalBMC Release Package and Deployment (RPD)
BMC Storage Data ManagementBMC Atrium SSO
BMC Performance Manager for WebSphere Business Integration (WBI)BMC TMART 4.1 (prior to SP2)
Aternity for BMC End User Experience Management Console and Agents (all versions)BMC Bladelogic Decision Support for Server Automation
On Unix: 8.2.00, 8.2.01, 8.2.02
On Windows: 8.2.02, 8.2.03, 8.2.04, 8.3, 8.3.01
BMC Education Solution Accelerator (ESA)BMC Event Manager
Moviri Integration for BMC Capacity OptimizationBMC Patrol Central Web Edition
nlyte Enterprise Edition for BMC SoftwareBMC Application Transaction Tracing
Seamless Technologies Event Integration for BMC TrueSight Operations ManagementBMC Middleware Management - Administration for WebSphere MQ (AppWatch)
BMC Mobile Device Management (MDM) BMC Middleware Monitoring
Sentry Software Integration for BMC Capacity OptimizationEntuity Network Monitoring for BMC TrueSight Operations Management V10.5 and earlier
Sentry Software Monitoring for BMC TrueSight Operations Management BMC Performance Manager for Servers
Sentry Software Adapters for BMC Atrium Orchestrator  BMC PATROL Agent
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. In cases where BMC products were deployed in vulnerable environments or they were patched for the OpenSSL CVE-2014-0160 vulnerability – we recommend that you change all administrative passwords and replace all SSL certificates.
   2. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2014-0160 vulnerability.