Skip navigation
Share:|

This post will share information about the OpenSSL Heartbleed vulnerability, how it affects BMC Bladelogic Decision Support for Server Automation (BDSSA) and how to address the impacted versions of BDSSA. First, here is some background information on the OpenSSL Heartbleed Security bug:

What is the OpenSSL heartbleed bug referenced in CVE-2014-0160?


The following information is taken directly from http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

 

"The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug."

 

What versions of OpenSSL are affected?

The following is taken directly from http://heartbleed.com/:

"Status of different versions:
    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    OpenSSL 1.0.1g is NOT vulnerable
    OpenSSL 1.0.0 branch is NOT vulnerable
    OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."

 

Is BladeLogic Server Automation (BSA) or Bladelogic Decision Support for Server Automation (BDSSA) affected by the OpenSSL heartbleed bug referenced in CVE-2014-0160?

BSA: No versions of BSA include the affected versions of OpenSSL listed above.

BDSSA: The following table lists the versions of BDSSA which are or are not susceptible to the heartbleed bug (varies by OS)

 

BDSSA VersionPlatformAWS versionOpenSSL VersionAffected?
8.2.02Linux\Solaris2.2.220.9.8rNo
8.2.03, 8.2.04, 8.3, 8.3.01Linux\Solaris2.2.221.0.1cYes
8.2.02, 8.2.03Windows2.2.220.9.8tNo
8.2.04, 8.3, 8.3.01Windows2.2.220.9.8tNo
8.3.02, 8.3.03, 8.5Linux\Solaris\Windows2.2.241.0.1eYes

 


It is also possible that some customers running a version of BDSSA which was not susceptible out-of-the-box applied a standalone Apache Web Server 2.2.24 update to their BDSSA environment which would also have included OpenSSL 1.0.1 thereby introducing CVE-2014-0160 into their environment. Therefore the version of OpenSSL should be confirmed using the following techniques:

 

How do I confirm what version of OpenSSL is running on my BDSSA Reports Server?

The version of OpenSSL can be confirmed as follows:

 

Linux/Solaris:

      

a) Navigate to $BLREPORTS_HOME/webserver/lib or $BDS_HOME/webserver/lib (for 8.5)

b) Execute >> sudo strings libssl.so.1.0.0 | grep -i 'openssl'


Windows:

 

C:\Program Files\BMC Software\BladeLogic\8.1\Reports\webserver\bin>openssl.exe version -a

OpenSSL 0.9.8t 18 Jan 2012

built on: Sat Jan 28 16:43:58 2012

platform: VC-WIN32

options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) blowfish(idx)

compiler: cl -I../zlib-1.2.5 /MD /Ox /O2 /Ob2 /Oy- /W3 /WX /Gs0 /GF /Gy /Zi /Yd/nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdtmp32dll/c_src-DOPENSSL_NO_IDEA -DOPENSSL

 

Hotfix Information:

 

Hotfixes are now available for BDSSA 8.2, 8.3 and 8.5 to upgrade the version of Apache Web Server to 2.2.27 and thereby upgrade OpenSSL to 1.0.1.g. The hotfixes are located in the following ftp locations:

 

  1. 1. For BDSSA 8.5.x releases: ftp://ftp.bmc.com/pub/outgoing/CVE-2014-0160/BDSSA%208.5.x/
  2. 2. For BDSSA 8.3.x releases: ftp://ftp.bmc.com/pub/outgoing/CVE-2014-0160/BDSSA%208.3.x/
  3. 3. For BDSSA 8.2.x releases: ftp://ftp.bmc.com/pub/outgoing/CVE-2014-0160/BDSSA%208.2.x/

Additional information about how the Heartbleed bug affects other BMC Products can be found here. This page will be updated regularly as hotfixes become available.

I hope this post provides the information you need on this topic, to assess and address any impact of Heartbleed on BDSSA. If you have any questions or comments on this topic, please feel free to use the comments section below. Also, please take a moment to rate the article so we can continue to monitor which topics and formats users find most useful.

Join the Customer Support Community and give us feedback if our efforts in Communities are helpful, and how we can better serve you.
Connect with BMC Support Team over Chat sessions

To see more like this, see BMC BladeLogic Support Blogs

Share:|

We have had a couple of customers hit this in 8.5 so I put together the following KB article with details of the issue and the fix for both SQL Server and Oracle environments if encountered:

 

https://kb.bmc.com/infocenter/index?page=content&id=KA411148

 

For those who might not have KB access, the article text is also pasted below and the fixed stored procedures for Oracle and SQL Server are attached.

__________________________________________________________________________________________________________________

 

Problem

After installing or upgrading to BDSSA 8.5 , the following step of ETL may run for hours and use a very large amount of tempdb (SQL Server) or TEMP Tablespace (Oracle):

3_PATCH -> LOAD_PATCH_ANLY_JOB_RUN_RSLT

The amount of space used may be upwards of over 100GB depending on the environment so it is not a legitimate sizing issue.

LP: BMC Decision Support - Server Automation (5 Viewer, 1 Query License) 8.5.00
DR: BMC BladeLogic Decision Support for Server Automation 8.5.00

 

Solution

This problem has been observed in a few SQL Server environments in BDSSA 8.5 but could also occur in Oracle environments.

 

The problem is caused by a Cartesian join during the step of the ETL process which results in slow performance and very high tempdb (SQL Server) or TEMP Tablespace (Oracle) consumption.

 

The issue has been fixed with a modification to the stored procedure involved. The fixed stored procedure sql scripts for SQL Server and Oracle are attached to this article. These should only be applied to BDSSA 8.5. This issue will also be resolved in BDSSA 8.5 SP1.

 

On Oracle:
1) Run oracle_load_patch_anly_job_run_rslt.sql as the BSARA_DW DB user to recreate the modified stored procedure
2) Rerun ETL
3) Verify 3_PATCH step of ETL now completes quicker without consuming an excess amount of TEMP Tablespace

 

On SQL Server:
1) Run sqlserver_load_patch_anly_job_run_rslt.sql on the BSARA_DW_DB Database to recreate the modified stored procedure
2) Rerun ETL
3) Verify 3_PATCH step of ETL now completes quicker without consuming an excess amount of tempdb

__________________________________________________________________________________________________________________

 

You can join the Customer Support Community to learn about and provide feedback on ways Customer Support can enable your success.

See the recent announcement about Chat covering more products including BDSSA and about AMIGO to help in upgrades.