You have probably heard of the Heart-bleed, the Poodle, the Ghost, the LogJam, and the Freak vulnerabilities as they are often referred to. Whether you prefer to refer to their CVE number or their nicknames, these nasty vulnerabilities are showing up on security scans recently and causing concern for many different applications. What does that mean for BPPM?
BMC ProactiveNet Performance Manager is not affected by many of these vulnerabilities. BPPM has not been impacted as much as some application. This chart will show which vulnerabilities require action.
OpenSSL 1.0. through 1.0.1f (inclusive) branches are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable BPPM 9.0 runs with Open SSL 1.0.0e so it is NOT vulnerable. BPPM 9.5 runs with Open SSL 1.0.1c and so IS vulnerable.
The patches for BPPM 9.5 on all supported platforms are available on ftp://ftp.bmc.com/pub/BPPM/PATCHES/9.5/HeartBleed_Patch. Please see the file ‘readme_BPPM_OpenSSL_Heartbleed_fix_PS.txt’ for installation instructions.
BPPM Server 9.5 should be using OpenSSL 1.0.1g if it was patched due to "Heartbleed" bug.
This 1.0.1g does have the "CCS Injection" bug, but it was found that BPPM server is not vulnerable to this "CCS Injection" bug because of how it is being used.
Both the client and server have to be running OpenSSL for the "CCS injection" exploit to work. Since all browsers (IE,chrome,firefox,safari) do not use OpenSSL, the BPPM web console https sessions are not vulnerable.
The BPPM server does not use bash internally; it uses only c shell or shell scripts. BPPM is not affected by the Shellshock bug.
BPPM is impacted and users should disable Apache SSL V3.0 in BPPM for POODLE vulnerability
1. Stop BPPM Server with "pw system stop"
2. For BPPM 9.5 and 9.6 versions --> <BPPM HOME>\pw\apache\conf\extra\httpd-ssl.conf (Windows)
<BPPM HOME>/pw/apache/conf/extra/httpd-ssl.conf (Linux/Solaris)
For BPPM 9.0 and 8.6 versions --> <BPPM HOME>\pw\ApacheGroup\Apache\conf\httpd-ssl.conf (Windows)
<BPPM HOME>/pw/Apache/conf/httpd-ssl.conf (Linux/Solaris)
3. Make the following change in the platform specific file.
Add the following line in the httpd-ssl.conf file in the "SSL Cipher Suite" section:
SSLProtocol all -SSLv2 -SSLv3
4. Restart the ProactiveNet Server with "pw system start"
As this flaw stems from the glibc function and manifests itself via the gethostbyname() function, we have not found it to be exploitable in any BMC products.
BPPM is not affected - BMC TrueSight Infrastructure Management (formerly BMC Proactivenet Performance Management Suite) 9.5 and 9.6 - ships with export ciphers disabled
Only BPPM versions 8.6 and 9.0 are affected by this vulnerability. To disable the EXPORT ciphers for version 8.6 or 9.0, please follow these steps:
1. Stop BPPM server with 'pw sys stop' command.
2. Backup the file <BPPM HOME>\pw\apache\conf\extra\httpd-ssl.conf (Windows) or <BPPM HOME>/pw/apache/conf/extra/httpd-ssl.conf (Linux/Solaris)
3. Modify the httpd-ssl.conf file and add "!EXP" to the SSLCipherSuite setting. Remove "+EXP" if it appears.
4. Start BPPM server with 'pw sys start' command
BPPM is not affected.
Didn't see a vulnerability on the list? Please open a ticket with Customer Support and provide the CVE number or security scan results and we will investigate it for you. Please also check our Knowledge Base regularly as we do update it when we find new vulnerabilities which require modifications to the product. Usually searching by CVE number will help find a given vulnerability.
If you would prefer to upgrade OpenSSL and Apache for BPPM 9.5+, you can use the following instructions if running on Windows.
How to upgrade BPPM 9.5 to use OpenSSL version 1.0.1i and Apache version 2.4.10 (or better) on a Windows server
Below are the steps to manually upgrade BPPM 9.5 to Apache 2.4.10 with OpenSSL 1.0.1i on a Windows server:
Note 1: These steps are for Windows operating systems only
Note 2: Please perform these steps on a BPPM server in a test environment before performing them on the production environment
Please ensure that you have installed the Visual C++ 2010 SP1 Redistributable Package x64 : VC10 SP1 vcredist_x64.exe
Step 1) Download Apache 2.4.10 (VC 10 win 64-bit) from http://www.apachelounge.com/download/ and unzip the file to a known location.
Step 2) Stop the BPPM application
Step 3) Make a backup of the \ProactiveNet\pw\Apache directory or you can make a backup of the \ProactiveNet and sub-directories
Step 4) Replace the Apache folder from Step 1 with the \ProactiveNet\pw\Apache directory
Step 5) Copy the following files from Apache backup from Step 3 and paste them at the respective location below:
Step 6) Restart the BPPM application
We do not have a set of instructions to upgrade the version of Apache/OpenSSL on Solaris; the basic steps are comparable with the specific differences being the locations of the files, folders, subdirectories.
The ApacheGroup/Apache directory structure is only for Windows. On your Unix system, the Apache installation is in the pw/apache subdirectory shown in your output. That's where you can update these files.
There aren't any separate instructions written up for Solaris. It would basically be the same, some slight differences:
In the conf dir, there are server.crt and server.key, not my-server.crt and my-server.key.
There is no agentPem.crt.
The modules directory has mod_jk.so, not mod_jk-1.2.28-httpd-2.2.3.so.
For the openssl download, it looks to be available from unixpackages.com (and the site indicates that it has the updated versions that take care of the vulnerability.
BMC definitely recommends upgrading to the latest version of BPPM rather than patching the Apache/Open SSL versions as the latest product version has been certified by QA and any change to that environment may lead to problems or performance issues. The rule of thumb should be to consider the upgrade of BPPM before considering an upgrade of Apache/OpenSSL.
For any questions about the security vulnerabilities or any other Apache/OpenSSL concerns, please contact Customer Support for further assistance.
Newly Published Knowledge Articles - New Content has been added over the last month!
This is our opportunity to share with you some of the most recently created knowledge articles in case they may help you with something you would like to know more about.
KA426693 - Error adding CMA global threshold to a "Unix and Linux - HP-UX and Linux" or "Unix and Linux - Solaris and AIX" solution
KA426707 - Installation of Service Resolution on BPPM completes with warnings if the username/password for Oracle instance has been changed from the default of proact/proact
KA426607 - The cmapolicymigration utility will still try to connect to HTTP port 80 even if BPPM has been reconfigured so that Apache webserver uses a custom port
KA426917 - The cell initialization is taking a long time and is preventing BPPM from starting up
KA426748 - How can I close all events of the same severity from a command line?
KA426600 - If the operations console is idle for a small period of time, a blank Navigation Pane Option Error popup message appears.
KA426616 - Why are the Remote Agents not appearing under Device -> RemoteAgent in the Admin console?
Popular Knowledge Articles - Here are some of our most commonly used articles over the last month!
KA357339 - How to configure/scale ProactiveNet (MaxHeap, RAM, etc.) on server components like jserver, rate, Agent Controller and remote ProactiveNet Agent.
KA399915 - Events are not seen in 9.x BPPM Collectors after KB is reload or Cell is restarted.
KA417354 - How to upgrade BPPM 9.5 to use OpenSSL version 1.0.1i and Apache version 2.4.10 (or better) on a Windows server?
KA425524 - On the SNMP Adapter Configuration Manager, when you push the publish button nothing happens and there is no message written to the lower window in the configurator screen.
KA409289 -After installing BPPM 9.5, LDAP user is unable to login - "BMC-BSW000609E Failed to find user groups for user xxxxxx"
Looking for a previous blog posting? Find it here: BMC TrueSight Pulse Blogs
Help us help you! Use the rating system at the bottom of this blog to rate this post! Feel free to comment as well.
What topics would you like to see?