The Open SSL “Heartbleed” vulnerability related to BSM and its Data collectors

  • KM00868126
  • 23-Apr-2014
  • 05-May-2014

Summary

The Open SSL “Heartbleed” vulnerability related to BSM and its Data collectors -BSM 9.2x -OMi 9.2x - SiteScope 11:23 - Diagnostics 9.23 -BPM 9.23 RUM (.23

Question

The  Open SSL “Heartbleed” vulnerability related to BSM and its Data collectors
VULNERABILITY SUMMARY:  The “Heartbleed” vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the “Heartbleed” vulnerability.
Note: The “Heartbleed” vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. The impacted products appear in the list below are vulnerable due to embedding OpenSSL standard release software.

Answer

The  Open SSL “Heartbleed” vulnerability related to BSM and its Data collectors
VULNERABILITY SUMMARY:  The “Heartbleed” vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the “Heartbleed” vulnerability.
Note: The “Heartbleed” vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. The impacted products appear in the list below are vulnerable due to embedding OpenSSL standard release software.
References: CVE-2014-0160 (SSRT101499)
Potential Security Impact: Remote disclosure of information
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
1.    The current version is available from http://www.openssl.org. OpenSSL 1.0.1e was released on Feb 11, 2013.
2.    BSM 9.2x Uses   OpenSSL 0.9.8t 18 Jan 2012
3.    How to find OpenSSL version used by BSM/OMI
 
Go to  HPBSM\WebServer\bin
Type OpenSSL
Type Version
 
 
4.    What versions of the OpenSSL are affected?
Status of different versions:
·         OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
·         OpenSSL 1.0.1g is NOT vulnerable
·         OpenSSL 1.0.0 branch is NOT vulnerable
·         OpenSSL 0.9.8 branch is NOT vulnerable
 
BSM/OMI DATA COLLECTORS
1.       RUM Engine 9.23 uses OpenSSL 0.9.6h [engine] 5 Dec 2002 (NOT vulnerable)
C:\HPRUM\bin>openssl
OpenSSL> version
OpenSSL 0.9.6h [engine] 5 Dec 2002
OpenSSL>
 
2.       SiteScope 11:23 uses OpenSSL 0.9.6h [engine] 5 Dec 2002 (NOT vulnerable)
C:\SiteScope\bin>openssl
OpenSSL> version
OpenSSL 0.9.6h [engine] 5 Dec 2002
OpenSSL>
 
3.       BSM Connector OpenSSL 0.9.6h [engine] 5 Dec 2002 (NOT vulnerable)
C:\BSMConnector\bin>openssl
OpenSSL> version
OpenSSL 0.9.6h [engine] 5 Dec 2002
OpenSSL>
 
4.       Diagnostics 9.23 uses OpenSSL 0.9.6h [engine] 5 Dec 2002 (NOT vulnerable after extra file delete)
C:\MercuryDiagnostics\Server\nanny\windows\bin>openssl
OpenSSL> version
OpenSSL 0.9.6h [engine] 5 Dec 2002
OpenSSL>
Diagnostics 9.23 & Diagnostics 9.23 IP1 contain files related to the “Heartbleed” vulnerability that was detected in specific OpenSSL versions
HP had tested Diagnostics in Production use case (AM License) and the relevant files are not in use and can be deleted from the Diag installation.
On Windows Servers deployments the following files can be deleted from <Diag Install Dir>\Server\nanny\windows\bin:
openssl_101_x32.exe
openssl_101_x32_s.exe
openssl_mic_101_x32.exe
openssl_mic_101_x32_s.exe
These files are not distributed for Linux deployments
 
If you are using Diagnostics integrated with HP Load Runner or HP Performance Center than these files may still be in use and HP is working to address this vulnerability.
5.       Business Process Monitor BPM 9.22 and Lower Version  uses OpenSSL 1.0.0c 2 Dec 2010 (NOT vulnerable)
C:\BPM\bin>openssl_10_x32
OpenSSL> version
OpenSSL 1.0.0c 2 Dec 2010
OpenSSL>
Business Process Monitor BPM  9.23 and BPM 9.24 are  using an affected OpenSSL version with Heartbleed
C:\LoadGenerator\bin>openssl_101_x32.exe
OpenSSL> version
OpenSSL 1.0.1c 10 May 2012
OpenSSL>
6.       Service Manager 9.30 uses OpenSSL 0.9.8d 28 Sep 2006 (NOT vulnerable)
C:\Program Files\HP\Service Manager 9.30\Server\RUN>openssl
OpenSSL> version
OpenSSL 0.9.8d 28 Sep 2006
OpenSSL>
 
7.       System Health 9.23 OpenSSL 0.9.6h [engine] 5 Dec 2002 (NOT vulnerable)
C:\SiteScope\bin>openssl
OpenSSL> version
OpenSSL 0.9.6h [engine] 5 Dec 2002