6 Replies Latest reply on Apr 22, 2014 2:41 PM by John O'Toole

    heartbleed

      Share:|

      I did a quick vulnerability assessment and found that BDSSA servers are in fact vulnerable to heartbleed. Does BDSSA uses open ssl? how do we patch it?

        • 1. Re: heartbleed

          This is for windows Env

          • 2. Re: heartbleed

            BDSSA: BDSSA 8.3.02, 8.3.03 and 8.5 do include OpenSSL 1.0.01 so are therefore affected by CVE-2014-0160.

                            BMC is currently working on providing an updated version of OpenSSL for these versions. This article will be updated with an ETA when available.

             

             

            How do I confirm what version of OpenSSL is running on my BSA and BDSSA Application Servers?

             

            In some cases, an out of band update may have been performed of the BDSSA Apache WebServer which would have updated the version of OpenSSL from that delivered out of the box by BDSSA. In this case, the version of OpenSSL should be checked to confirm whether it matches that of an affected version. The version of OpenSSL can be found by using the 'openssl version -a' command e.g.

             

            Output of the command on Linux:

             

            [root@supdb02 bin]# pwd

            /opt/bmc/bladelogic/NSH/bin

            [root@supdb02 bin]# ./openssl version -a OpenSSL 0.9.8s-fips 4 Jan 2012 built on: Thu Jan 19 04:28:21 EST 2012

            platform: linux-x86_64

            options:  bn(64,64) md2(int) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)

            compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM

            OPENSSLDIR: "/usr/lib/rsc"

             

            Output of the Command in Windows:

             

            C:\Program Files\BMC Software\BladeLogic\8.1\Reports\webserver\bin>openssl.exe version -a OpenSSL 0.9.8t 18 Jan 2012 built on: Sat Jan 28 16:43:58 2012

            platform: VC-WIN32

            options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) blowfish(idx)

            compiler: cl -I../zlib-1.2.5 /MD /Ox /O2 /Ob2 /Oy- /W3 /WX /Gs0 /GF /Gy /Zi /Yd/nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENSSL_USE_APPLINK -I. /Fdtmp32dll/c_src-DOPENSSL_NO_IDEA -DOPENSSL

            • 3. Re: heartbleed
              Isaac Matta

              Hi Tanveer, So, the Reports services disabled?

              We have not published the KA yet, we will do it soon when we have an ETA on the hotfix.

              Regards,

              Isaac

              • 4. Re: heartbleed
                Isaac Matta

                Please download the fix from: ftp://ftp.bmc.com/outgoing/CVE-2014-0160/

                 

                Below are the instructions:

                 

                # Product(s) - BDSSA

                # Version: 8.3.02, 8.3.03, 8.5

                #             

                # OS - Windows

                #

                ####################################################

                #

                #Following issues is addressed via script.

                #QM001827472 - Bug in OpenSSL referenced in CVE-2014-0160

                #

                ####################################################

                #

                #   INSTRUCTIONS

                # Execute this script with Administrator privilege.

                #

                ####################################################

                 

                 

                1. Extract AWS2.2.27-OpenSSL1.0.1g-Windows.zip on c:\

                 

                 

                2. Navigate to C:\AWS2.2.27-OpenSSL1.0.1g-Windows.zip

                 

                 

                3. Execute upgrade.nsh as "nsh upgrade.nsh"

                 

                  3.1 If you see below error during AWS upgrade, please verify points 4 and 5. If AWS is upgraded and report are working fine then you can ignore this error.

                  "Errors reported here must be corrected before the service can be started."

                 

                 

                 

                 

                4. Verify AWS and OpenSSL version as below

                 

                 

                  4.1 Go start >> run >>

                 

                 

                  4.2 Execute services.msc

                 

                 

                  4.3 Select  Apache2 service, all versions will be displayed in description.

                 

                 

                5. Verify reports URL is working

                 

                 

                 

                 

                Note:

                Running this HF will upgrade AWS and OpenSSL version, however <BLREPORTS_HOME>/Version file will show old AWS version only.

                In-order to reflect correct version, please update the file manually with below entry

                 

                 

                APACHE=2.2.27

                OpenSSL=1.0.1g