Share:|

Latest details from BMC

Last Updated: December 7, 2015 3:00PM CST

 

BMC Software’s Application Security team is investigating the impact that multiple OpenSSL security vulnerabilities announced on March 19th have on the security posture of BMC products and services. Of the 14 vulnerabilities described, two were classified as high severity cases: CVE-2015-0204 and CVE-2015-0291.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2015-0204 and/or CVE-2015-0291 vulnerabilities.
Products Which Include Affected OpenSSLRemediation / Patches
BMC Atrium Discovery and Dependency MappingSee article in BMC Communities
BMC Footprints Service Core 11.6.05 and priorPatch released (see this article for details). Upgraded version of OpenSSL is included in release 11.6.06
Borland Silk Performer for TrueSight Operations Management 15.5.10Addressed in Borland Silk Performer for TrueSight Operations Management 15.5.60 available on BMC Electronic Product Distribution (EPD)
BMC TMART 4.2 SP2Addressed in BMC TMART 4.2 SP3 available on BMC Electronic Product Distribution (EPD)
BMC Application Diagnostics 2.6.10Addressed in 2.6.15 and 2.7.01 available on BMC Electronic Product Distribution(EPD)
Entuity Network Monitoring for BMC TrueSight Operations Management V14.0, V14.5 and V15.0Patches available from the Entuity web site

 

Please contact BMC Customer Support for access credentials
BMC Database Automation (BladeLogic)Patch estimated May 31, 2015
BMC Release Package and Deployment (RPD)Patch estimated May 31, 2015
BMC Release Lifecycle managementSee RPD, RPM and BSA
BMC Workload Automation (Control-M)See this article for details
BMC MainView Console Management 3.2.1 and priorUpgrade to release 3.2.2 or install Cumulative SSL Security patch 2015.04.21
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2015-0204 and CVE-2015-0291 vulnerabilities.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium OrchestratorBMC Client Management (formerly BMC Footprints Asset Core) versions 11.x, 12.x - ship with 1.0.0 thread of OpenSSL with export ciphers disabled. Will upgrade to latest release of OpenSSL 1.0.0 thread in version 12.1 - planned for October 2015
BMC Cloud Lifecycle ManagementBMC Performance Manager Portal 2.11.0 - ships with export ciphers disabled
BMC Decision Support for Database AutomationBMC TrueSight Infrastructure Management (formerly BMC Proactivenet Performance Management Suite) 9.5 and 9.6 - ship with export ciphers disabled
BMC Decision Support for Network AutomationBMC Bladelogic Decision Support for Server Automation 8.3.02 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.3.03 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.5 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.5.01 (Windows + Linux + Solaris)
BMC MainView Console Management 2.12 and priorBMC Bladelogic Decision Support for Server Automation Unix (Linux + Solaris) 8.2, 8.2.01, 8.2.02
BMC Bladelogic Decision Support for Server Automation Unix (Linux + Solaris) 8.2.03, 8.2.04,  8.3, 8.3.01
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC Bladelogic Decision Support for Server Automation Windows 8.2.02, 8.2.03, 8.2.04, 8.3, 8.3.01
BMC IMS for z/OS solutions
(all products and versions)
BMC Release Process Management (RPM)
BMC DB2 for z/OS solutions
(all products and versions)
BMC Server Automation (BladeLogic) (BSA)
BMC Middleware Administration(old name) BMC Capacity Optimization and Performance Assurance
TrueSight Capacity Optimization
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC BladeLogic Client AutomationBMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC BladeLogic PortalBMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC AppSightBMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC Identity ManagementBMC Real End User CloudProbe
BMC IT Business ManagementBMC MyIT (see this page for additional details)
BMC Network AutomationBMC SmartIT (see this page for additional details)
BMC Service Desk ExpressBMC Remedy AR System and ITSM Suite (see this article for details)
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC Performance Manager Portal
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2015-0204 and CVE-2015-0291 vulnerabilities.