Share:|

Last Modified at 9:45AM CST, December 10, 2015

Latest details from BMC

 

BMC Software’s Application Security team is investigating the impact that the SSL 3.0 CVE-2014-3566 (a.k.a. “POODLE”) vulnerability has on the security posture of BMC products and services.

The products listed below allow SSL 3.0 connections and are therefore affected by the SSL 3.0 CVE-2014-3566 vulnerability.

Products Which Allow SSL 3.0 ConnectionsRemediation / Patching
BMC Atrium Discovery and Dependency Mapping - all versions
BMC Atrium Discovery and Dependency Mapping Proxy - all versions
Manually disable SSL 3.0 until patches are available that remove SSL 3.0 completely. These will be included in a future OS update.

 

Refer to this blog post for details and instructions
BMC Client Management - versions 11.x and 12.0

 

(formerly BMC FootPrints Asset Core)

BMC will be disabling SSLv3 Support from the BCM agent, permitting only TLS connections (versions 1.0, 1.1 or 1.2). In addition, OpenSSL will be updated to help block any downgrade attack such as Poodle.

 

Please download one of the following Hot Fixes:

 

                        11.5 Hot Fix

 

                        11.6 Hot Fix

                        11.7 Hot Fix

                        12.0 Hot Fix

 


NOTE: If integrating with BMC FootPrints Service Core, the application of the hot fix also requires the latest OpenSSL for the BMC FootPrints Service Core installation. The patch can be obtained from this support article.

BMC MainView Console Management for zEnterprise - all versionsMainView Console Management Cumulative SSL Security Patch 2014.10.16 for versions 3.1-3.2 is available via Electronic Product Distribution.

 

Earlier versions must be upgraded to at least 3.1 before the patch can be applied.
BMC Remedy OnDemand
(Service suite includes hosted instances of:
BMC MyIT
BMC AppZone
BMC Footprints Asset Core)
BMC is in the process of disabling SSL v3.0 across all data centers and service offerings.  To date the following service offerings have been completed:
Commercial - US
Commercial - UK
Commercial - CA
Commercial - AU
Public Sector - US
Public Sector - Federal
BMC Workload Automation (Control-M) versions 6.4.x, 7.0.x, 8.0.xManually disable SSL 3.0 fall back. Refer to this blog post for details and instructions
BMC FootPrints Service Core - version 12.xFootPrints 12.x does not install Java or Tomcat for the customer.  Instead, the customer supplies their own Java and Tomcat installations.

 

See this support article for guidance on upgrading these installations and how to disable SSLv3 in Tomcat.

 

There are no patches necessary.
BMC FootPrints Service Core - versions 11.x, 10.0.2, 9.5.4See this support article for patches to update OpenSSL to 1.0.1j as used by the product in Perl and Tomcat.

 

See this support article for guidance on disabling SSLv3 for versions 11 and newer.
RemedyforceManually disable SSL 3.0 on web browsers.

 

See this article in BMC Communities for details.
Aternity for BMC End User Experience Management Console and Agents (all versions)

 

Aternity for BMC End User Experience Management Dashboards Server (all versions)
For every Aternity node (data warehouse, management server, and EPM) configure the Apache Tomcat XML HTTPs connector by setting the following properties:

 

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
sslprotocol=”TLS“

 

See this article for more details.

 

For the Tableau server, see this article for instructions
BMC Atrium OrchestratorIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC BladeLogic Database AutomationIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

OpenSSL will be upgraded in version 8.6 and back ported to 8.5 in a patch shortly after 8.6 is released.
BMC BladeLogic Decision Support for Database Automation

 

BMC BladeLogic Decision Support for Network Automation
In Apache Tomcat go to “<PATH>\BL-Decision Support\tomcat\conf” directory.

 

Take a backup of the server.xml file.

 

Edit the server.xml replacing sslProtocols=“TLS” with sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2”.

 

Save the file and restart the “BL-Decision Support Web Server” service.
BMC Bladelogic Decision Support for Server Automation (Windows, Unix, and Linux)Upgrade packages are available for BDSSA 8.3.x and 8.5.x. See this article for instructions on obtaining the package for BDSSA.
BMC BladeLogic Middleware AutomationPlease see this article for detailed instructions on disabling SSL 3.0
BMC BladeLogic Network AutomationIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

BNA server and agent communication over RMI uses TLS 1.2 by default. HTTPS communication between BNA agent and network devices is either configured to initiate TLS or to accept the handshake from BNA, which uses TLS.
BMC BladeLogic Server AutomationUpgraded OpenSSL and fixed Java JSSE in BSA 8.5 SP1 Patch 3 and BSA 8.6. A hotfix is available for 8.3.03 (build 190 or higher). Please see this article for instructions on obtaining this hotfix.
BMC Cloud Lifecycle ManagementIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

If HTTPS is enabled for CLM Platform Manager, please contact BMC Customer Support for assistance with Jetty configuration.
BMC DCA Portaln Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Package and DeploymentIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Process Management (DevOps)In Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Lifecycle managementThis is a combination of BMC Release Package and Deployment, BMC Release Process Management, and BMC BladeLogic Server Automation. Please see entries above for individual remediation steps for each.
Entuity Network Monitoring for BMC ProactiveNet Performance Management V14.0 and above
Entuity for BMC TrueSight Operations Management
Entuity Integrator for BMC TrueSight Operations Management
Entuity Network Analyzer for BMC TrueSight Operations Management
Entuity Flow Analyzer for TrueSight Ops
Modify the following Apache configuration files:
<Entuity Home>\install\template\lib\apache\conf\httpd_eye.conf
  From:  ##CONFIGPARSE##    SSLProtocol -ALL +SSLv3 +TLSv1
  To:        ##CONFIGPARSE##    SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 

<Entuity Home>\lib\apache\conf\httpd_eye.conf 
  From:  SSLProtocol -ALL +SSLv3 +TLSv1
  To:        SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 

  Restart Entuity Web Server:
<Entuity Home>\bin\stop webserver

 

The Web Server will automatically restart after stopping.
Entuity Network Monitoring for BMC ProactiveNet Performance Management V10.5 and earlierPlease contact BMC Customer Support for assistance
BMC Capacity Optimization and Performance AssuranceSee this article for detailed remediation steps
BMC Patrol Central Web EditionSee this article for detailed remediation steps
BMC Performance Manager PortalSee this article for detailed remediation steps
BMC Application Transaction TracingPatch available. Please contact BMC Customer Support for assistance.
BMC Middleware AdministrationSee this article for detailed remediation steps
BMC Middleware Management - Administration for WebSphere MQ (AppWatch)See this article for detailed remediation steps
BMC Middleware Management - Performance and Availability
BMC Middleware Management – Transaction Monitoring
BMC Middleware Monitoring
Patches available.
BMC ProactiveNet Performance Management Suite Server 9.0
BMC ProactiveNet Performance Management Suite 9.5
See this article for detailed remediation steps
BMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available. Please contact BMC Customer Support for assistance.
BMC TMART 4.2Please see this article for instructions.
BMC IT Data & AnalyticsBy default, SSL is not enabled.

 

The product documentation for enabling SSL has been updated so that SSLv3.0 is not enabled.
BMC Impact Integration Web Services 7.4.00Please see this article for detailed instructions on disabling SSL 3.0.
MyIT 2.0, MyIT 2.1 and SmartITPlease see this support article for instructions for disabling SSL V3 in Tomcat used by MyIT and SmartIT.
BMC Remedy AR System and ITSM Suite 7.6.04, 8.0, and 8.1See this support article for instructions for disabling SSL V3 in Tomcat used by Mid-Tier.

 

If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server. An LDAP plug-in hotfix to allow the LDAP plug-in to use TLS for communication with LDAP Server is available here.
BMC Remedy AR System 8.8See this support article for instructions for disabling SSL V3 in Tomcat used by Mid-Tier.

 

If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server.
BMC Atrium SSOSee this support article for instructions for disabling SSL V3 in Atrium SSO.
BMC Transaction Management Application Response Time - Infrastructure Edition
BMC Transaction Management Application Response Time - Service Level Edition
See this support article for instructions.