OpenSSL vulnerability also known as heartbleed bug

Description

The Heartbleed Bug is a serious security vulnerability in OpenSSL, the open-source encryption standard used by websites to transmit secure user data. This bug has the potential for exposing a server's memory contents and is found in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).

Several components of specific NAM releases may be impacted.

Impact on NAM

Component Affected by Heartbleed? Details
NAM Server (old CAS/ADS) [ YES ] Affected systems are:
  • Any NAM Server (old CAS/ADS) version equal to or higher than 12.0.3 (SP3)
  • Have SSL enabled
A system is affected only if all of the above conditions are met. For problem resolution details, see the NAM Server (old CAS/ADS) section below. NAM Server (old CAS/ADS) are not affected by DTLS invalid fragment vulnerability (CVE-2014-0195) , as none of DCRUM components is using DTLS for communication. NAM Server (old CAS/ADS) are not affected by SSL/TLS MITM vulnerability (CVE-2014-0224) , as despite updated Apache Tomcat was not yet released (once available will be updated), for the MITM attack to be successful, both the server and the client have to be vulnerable. Browsers officially supported by product are not vulnerable.
NAM Probe (old AMD) [ PARTIAL ] Affected systems are:
  • Red Hat Enterprise Linux 6.5 versions or higher
  • Have a OpenSSL 1.0.1x version prior to 1.0.1e-16.el6_5.7
  • Have SSL communication enabledbetween NAM Probe (old AMD) and other NAM components (NAM Server (old CAS/ADS), Console or dynaTrace server)
A system is affected only if all of the above conditions are met. For problem resolution details, see the NAM Probe (old AMD) section below. Note pertaining to use of OpenSSL library in SSL decryption functionality on NAM Probe (old AMD)
  • NAM Probe (old AMD)s configured to monitor SSL-encoded software services, such as HTTPS, with use of "SSL with decryption” decode and openssl decoding engine are not impacted by this vulnerability regardless of the version of openssl library installed on NAM Probe (old AMD) as decryption mechanism used by NAM Probe (old AMD) does not utilize the vulnerable area of the openssl library. However we recommend to install patched version of OpenSSL in case above conditions are met.
NAM Probe (old AMD) is not affected by DTLS invalid fragment vulnerability (CVE-2014-0195) , as none of DCRUM components is using DTLS for communication. NAM Probe (old AMD) is affected by SSL/TLS MITM vulnerability (CVE-2014-0224) , as OpenSSL installed on Red Hat is used. To update affected packages refer to https://access.redhat.com/security/cve/CVE-2014-0224.
Console [ NO ] The NAM Console (old RUM Console) does not use the OpenSSL library.
EP [ NO ] The Enterprise Portal does not use the OpenSSL library.
ESM [ NO ] Synthetic Monitoring components do not use a version of OpenSSL that contains a major security vulnerability known as the Heartbleed bug. As a result, Synthetic Monitoring is not affected by the Heartbleed bug
DNA [ NO ] Transaction Trace components do not use a version of OpenSSL that contains a major security vulnerability known as the Heartbleed bug. As a result, Transaction Trace is not affected by the Heartbleed bug.

Problem resolution steps

  1. Download Heartbleed Fix.zip (md5 sum).

  2. Stop the CAS or ADS service.

  3. Go to the CAS or ADS install directory (C:\Program Files\Compuware\CAS\).

  4. Unzip the download file and maintain the folder structure.

  5. Start the CAS or ADS service.

To verify if the patch was applied successfully, look for the following message in server.log:

T JUL 14-04-10 09:39:10.075 INFO:org.apache.catalina.core.AprLifecycleListener:initializeSSL:<OpenSSL successfully initialized with version OpenSSL 0.9.8r 8 Feb 2011>

If you believe your SSL keys have been compromised, regenerate and install new keys and certificates, as described in the following release-specific product documentation:

How to check if my NAM Probe (old AMD) is impacted

Log-in to the NAM Probe (old AMD) console and issue the rpm –q openssl command. This will display the version number of the installed OpenSSL.
Versions 1.0.1x prior to 1.0.1e-16.el6_5.7.x86_64 are impacted.

Problem resolution steps

Install the patched version of OpenSSL (openSSL-1.0.1e-16.el6_5.7).

Generate new private key & certificate for the rtmgate service. Use the following bash script:

Copy/paste the script to a text file on the NAM Probe (old AMD).

Save it as gatefix and make it executable by executing the command chmod 755 gatefix. Make sure to execute it as root.

References

Contact us

How to get Support

Version history

Apr 09, 2014 - created

Jun 12, 2014 - updated with information about "SSL/TLS MITM vulnerability (CVE-2014-0224)" and "DTLS invalid fragment vulnerability (CVE-2014-0195)".


[1] Use of yum requires internet connection from within NAM Probe (old AMD) and NAM Probe (old AMD) must also be registered to RHN (RedHat Network) to obtain the OpenSSL update.