This post will share information about the OpenSSL Heartbleed vulnerability, how it affects BMC Bladelogic Decision Support for Server Automation (BDSSA) and how to address the impacted versions of BDSSA. First, here is some background information on the OpenSSL Heartbleed Security bug:
What is the OpenSSL heartbleed bug referenced in CVE-2014-0160?
The following information is taken directly from http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
"The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug."
What versions of OpenSSL are affected?
The following is taken directly from http://heartbleed.com/:
"Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."
Is BladeLogic Server Automation (BSA) or Bladelogic Decision Support for Server Automation (BDSSA) affected by the OpenSSL heartbleed bug referenced in CVE-2014-0160?
BSA: No versions of BSA include the affected versions of OpenSSL listed above.
BDSSA: The following table lists the versions of BDSSA which are or are not susceptible to the heartbleed bug (varies by OS)
|BDSSA Version||Platform||AWS version||OpenSSL Version||Affected?|
|8.2.03, 8.2.04, 8.3, 8.3.01||Linux\Solaris||2.2.22||1.0.1c||Yes|
|8.2.04, 8.3, 8.3.01||Windows||2.2.22||0.9.8t||No|
|8.3.02, 8.3.03, 8.5||Linux\Solaris\Windows||2.2.24||1.0.1e||Yes |
It is also possible that some customers running a version of BDSSA which was not susceptible out-of-the-box applied a standalone Apache Web Server 2.2.24 update to their BDSSA environment which would also have included OpenSSL 1.0.1 thereby introducing CVE-2014-0160 into their environment. Therefore the version of OpenSSL should be confirmed using the following techniques:
How do I confirm what version of OpenSSL is running on my BDSSA Reports Server?
The version of OpenSSL can be confirmed as follows:
a) Navigate to $BLREPORTS_HOME/webserver/lib or $BDS_HOME/webserver/lib (for 8.5)
b) Execute >> sudo strings libssl.so.1.0.0 | grep -i 'openssl'
C:\Program Files\BMC Software\BladeLogic\8.1\Reports\webserver\bin>openssl.exe version -a
OpenSSL 0.9.8t 18 Jan 2012
built on: Sat Jan 28 16:43:58 2012
options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) blowfish(idx)
compiler: cl -I../zlib-1.2.5 /MD /Ox /O2 /Ob2 /Oy- /W3 /WX /Gs0 /GF /Gy /Zi /Yd/nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdtmp32dll/c_src-DOPENSSL_NO_IDEA -DOPENSSL
Hotfixes are now available for BDSSA 8.2, 8.3 and 8.5 to upgrade the version of Apache Web Server to 2.2.27 and thereby upgrade OpenSSL to 1.0.1.g. The hotfixes are located in the following ftp locations:
- 1. For BDSSA 8.5.x releases: ftp://ftp.bmc.com/pub/outgoing/CVE-2014-0160/BDSSA%208.5.x/
- 2. For BDSSA 8.3.x releases: ftp://ftp.bmc.com/pub/outgoing/CVE-2014-0160/BDSSA%208.3.x/
- 3. For BDSSA 8.2.x releases: ftp://ftp.bmc.com/pub/outgoing/CVE-2014-0160/BDSSA%208.2.x/
Additional information about how the Heartbleed bug affects other BMC Products can be found here. This page will be updated regularly as hotfixes become available.
I hope this post provides the information you need on this topic, to assess and address any impact of Heartbleed on BDSSA. If you have any questions or comments on this topic, please feel free to use the comments section below. Also, please take a moment to rate the article so we can continue to monitor which topics and formats users find most useful.
Join the Customer Support Community and give us feedback if our efforts in Communities are helpful, and how we can better serve you.
Connect with BMC Support Team over Chat sessions
To see more like this, see BMC BladeLogic Support Blogs