SSL Security Update

Last week a serious vulnerability in the OpenSSL cryptographic software library, known as The Heartbleed bug, was publicly disclosed. It affects a wide range of consumer and enterprise web properties and software products, including some versions of BMC Atrium Discovery and Dependency Mapping.

Fortunately BMC’s fixes for the OpenSSL libraries in use were relatively simple and the mechanism for customers to update is equally so. If exploited successfully, Heartbleed could be used to extract sensitive information that, under normal conditions, is protected by SSL/TLS encryption so it is imperative that you update any affected ADDM systems as soon as possible.

How has BMC ADDM addressed the issue and provided a fix?

Upon public disclosure of this vulnerability, the team immediately activated the emergency Operating System Update (OSU) process in order to patch the affected libraries. Additionally, BMC rebuilt the windows proxy binaries that also include these libraries and have included these in the OSU package.

How to download and install the fixes?

The fix is to install the OS Update to your affected ADDM Appliance. You can download this from the following sources:

Direct FTP Link – Connect as Guest or Anonymous

BMC Electronic Product Download (EPD)

After installing by following these instructions, navigate to the Discovery > Tools section download the updated windows proxy binaries and update your proxies. Instructions for proxy installation are here.

What versions are affected?

The affected versions of ADDM are:

  • ADDM 9.0.x and 10.0 proxies
  • ADDM 9.0.x Red Hat 6
  • ADDM 10.0

These supported versions are using openSSL 0.9.8 and are unaffected:

  • ADDM 8.3
  • ADDM 9.0.x Red Hat 5

What else?

Due to the nature of what might have been available to leak in the event of an exploit, you may want to consider these additional security measures:

  • Change any SSL certificates in use by BMC ADDM
  • Change your credential vault passphrase
  • Change your UI administrator passwords
  • Change your appliance user passwords

Find other vulnerable systems that need updating

Once you have updated your ADDM appliance against this vulnerability, leverage ADDM’s native ability to help you discover what other systems might be vulnerable in your environment.