Hi,
You are right that the openssl dlls that are shipped as part of the embedded Postgres version are vulnerable to the heartbleed exploit. However that does not make the the machine running Hyperic vulnerable due to the following configuration:
1. The default configuration of the embedded Postgres is configured to not use an SSL connection to Hyperic so openssl is not used.
2. Postgres is configured to only work with the loopback, which means that no external connections are possible to Postgres
So unless you changed the configuration so Hyperic will connect to Postgres using SSL and you changed Postres configuration to accept external connection you are safe.
The VMware security team tested and validated this configuration.
Just a note for others reading this post that this only applies to Windows versions of Hyperic and not to other variants which do not ship with openssl binaries as part of Postgres.
When we release a maintenance release for the relevant versions we will remove or update these dlls to remove even the slightest chance of a vulnerability. There is a 5.8 maintenance release planned in June which will include this update.
Eran
Product Line Manager | vCloud Operations | VMware