If you are reading this blog, I assume you are familiar with the Heartbleed bug. For a while there it seemed that even mainstream news sites were discussing little else apart from Heartbleed.
The short version is that a certain library used for secure communication, OpenSSL, was found to have a vulnerability, and to have had it for the last couple of years. Because this is an open-source library, it was re-used in many many other products and web services. BMC BladeLogic can help with the applying the fix to your affected servers, and many of our customers have already used BladeLogic for this purpose.
The tricky bit about Heartbleed actually comes after the first round of patches. How can you find and fix all the affected devices and services on your network? Remember, this is not a one-time task. Six months from now, after you’ve cleaned your network of HeartBleed, someone clones an old VM template that pre-dated awareness of the problem and has not been patched. How are you going to deal with that situation in the future?
As it happens, BMC can be a big part of the solution to that problem.
The first part of the solution is discovery. BMC’s Discovery / ADDM solution will discover devices and services on a continuous basis. You can then look for affected software versions and determine correct remediation actions. Because ADDM discovery is frequent and does not depend on external inputs, this approach will give a good view of the actual vulnerability of your environment to Heartbleed - and also all sorts of other issues. For instance, scans might turn up old systems running Windows XP, which are now completely out of support.
The next step is to put those remediation actions into place. BMC BladeLogic will let you distribute patches to the affected servers or even shut them down if they are unauthorised. Automating this patching process is crucial to ensuring complete coverage, especially in large-scale environments. Patching by hand would take too long, but automation is fast.
The other advantage is that automation is predictable. Once you have automated a process, you can be sure that the results will be the same whenever and wherever it is run. This means that you can test the upgrade in a pre-production environment and make sure it does not have unforeseen impacts before you roll it out in production. BladeLogic will let you validate that those environments are congruent and therefore that your test makes sense.
Either way, Heartbleed is not a vulnerability you can afford to ignore. Attackers can not only extract random data from your server’s memory, but it has now been proven to be possible to hijack user sessions. This sort of impersonation could have very serious consequences, especially if it takes place some time in the future when much of the current attention to Heartbleed has died down. You need to ensure defence in depth, not just against Heartbleed but against the next bug and the one after that. Continuous automated discovery and remediation is the only way to do that.
If you are an ADDM user we can schedule an assessment in your environment, identifying Heartbleed and other vulnerabilities. Please register here to arrange that. For more information about how to use BladeLogic in your fight against Heartbleed and other similar problems, join the discussion on the TrueSight Server Automation forum or contact your BMC account manager directly.
Regarding our own products, BMC has published a constantly-updated list of affected products and the status of those patches, which you can find here. BladeLogic automation products (Server, Network, Middleware and Database) are not affected, but the Decision Support reporting engine is affected on Unix and Linux (not on Windows).