Upgrade OpenSSL file used by Performance Center 12.0x to version 1.0.1j (hotfix for POODLE vulnerability)

  • KM01368551
  • 25-Jan-2015
  • 16-Feb-2015

Summary

An industry-wide vulnerability affecting the SSL 3.0 protocol has been discovered (a.k.a POODLE). While Performance Center does not use the SSL 3.0 protocol, it may still be affected by the proxy of the third party implementation of that protocol.

Question

A vulnerability in SSL 3.0 could allow information disclosure (a.k.a POODLE).
The vulnerability is in the protocol and is not specific to the implementation. Therefore, any implementation of the protocol is affected.
For more details on the vulnerability, see https://www.openssl.org/news/secadv_20141015.txt.

Performance Center does not use the SSL 3.0 protocol.
However, since any implementation of the protocol is affected, all versions of Performance Center may be affected by proxy of the OpenSSL and the Windows operating system implementation of the protocol.
 
For more details on the related implementations:
OpenSSL - https://www.openssl.org/~bodo/ssl-poodle.pdf
Microsoft’s Windows - https://technet.microsoft.com/en-us/library/security/3009008.aspx




 

Answer

To remove the vulnerability completely, the SSL 3.0 protocol must be disabled in all the relevant implementations used by or affecting Performance Center. The following list provides information on the fixes for the different areas that may be affected:
 
  • OpenSSL implementation – Replace the OpenSSL files used by the Performance Center 12.0x with the files attached here. Make sure to follow the installation instruction in the HP_PC12.0x_OpenSSL_1.0.1j_readme.doc file provided with the hotfix.
  • ALM Server – Follow the details in the ALM’s knowledge base article KM01250751.