The Heartbleed Bug is a serious security vulnerability in OpenSSL, the open-source encryption standard used by websites to transmit secure user data. This bug has the potential for exposing a server's memory contents and is found in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).
Several components of specific NAM releases may be impacted.
Impact on NAM
|Component||Affected by Heartbleed?||Details|
|NAM Server (old CAS/ADS)||[ YES ]||Affected systems are:
|NAM Probe (old AMD)||[ PARTIAL ]||Affected systems are:
|Console||[ NO ]||The NAM Console (old RUM Console) does not use the OpenSSL library.|
|EP||[ NO ]||The Enterprise Portal does not use the OpenSSL library.|
|ESM||[ NO ]||Synthetic Monitoring components do not use a version of OpenSSL that contains a major security vulnerability known as the Heartbleed bug. As a result, Synthetic Monitoring is not affected by the Heartbleed bug|
|DNA||[ NO ]||Transaction Trace components do not use a version of OpenSSL that contains a major security vulnerability known as the Heartbleed bug. As a result, Transaction Trace is not affected by the Heartbleed bug.|
Problem resolution steps
Stop the CAS or ADS service.
Go to the CAS or ADS install directory (C:\Program Files\Compuware\CAS\).
Unzip the download file and maintain the folder structure.
Start the CAS or ADS service.
To verify if the patch was applied successfully, look for the following message in server.log:
T JUL 14-04-10 09:39:10.075 INFO:org.apache.catalina.core.AprLifecycleListener:initializeSSL:<OpenSSL successfully initialized with version OpenSSL 0.9.8r 8 Feb 2011>
If you believe your SSL keys have been compromised, regenerate and install new keys and certificates, as described in the following release-specific product documentation:
How to check if my NAM Probe (old AMD) is impacted
Log-in to the NAM Probe (old AMD) console and issue the rpm –q openssl command. This will display the version number of the installed OpenSSL.
Versions 1.0.1x prior to 1.0.1e-16.el6_5.7.x86_64 are impacted.
Problem resolution steps
Install the patched version of OpenSSL (openSSL-1.0.1e-16.el6_5.7).
Generate new private key & certificate for the rtmgate service. Use the following bash script:
# create SSL certificate if it doesn't exist already keyfile='/usr/adlex/config/gate_ssl.pem' # use IP address as a common name commonName=`ifconfig | grep 'inet addr:' | head -n 1 | cut -d: -f2 | cut -d' ' -f1` # if a common name for certificate wasn't established, use loopback address if [ ! $commonName ] ; then echo "Cannot establish public IP. Using 127.0.0.1 for common name." commonName='127.0.0.1' fi # generate the certificate subject="/C=US/ST=Michigan/L=Detroit/O=Compuware/CN=$commonName" openssl req -new -x509 -days 3650 -nodes -subj $subject -out $keyfile -keyout $keyfile openssl gendh 512 >> $keyfile openssl x509 -subject -dates -fingerprint -in $keyfile chmod 600 $keyfile service rtmgate restart # End of the script
Copy/paste the script to a text file on the NAM Probe (old AMD).
Save it as gatefix and make it executable by executing the command chmod 755 gatefix. Make sure to execute it as root.
- RedHat: CVE-2014-0160 OpenSSL: information disclosure in handling of TLS heartbeat extension packets
- RedHat: How to recover from the Heartbleed OpenSSL vulnerability
- RedHat: CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
- The Heartbleed Bug overview
- DTLS invalid fragment vulnerability (CVE-2014-0195)
- SSL/TLS MITM vulnerability (CVE-2014-0224)
Apr 09, 2014 - created
Jun 12, 2014 - updated with information about "SSL/TLS MITM vulnerability (CVE-2014-0224)" and "DTLS invalid fragment vulnerability (CVE-2014-0195)".
 Use of yum requires internet connection from within NAM Probe (old AMD) and NAM Probe (old AMD) must also be registered to RHN (RedHat Network) to obtain the OpenSSL update.