Highlighted
Contributor
Contributor

Hyperic 5.7.1 - Heartbleed

Hello,

In keeping up with the Heartbleed vulnerability, my 5.7.1 setup comes installed with the PostgreSQL embedded database. The PostgreSQL database has components of OpenSSL. There are two vulnerable files located within server-5.7.1/hqdb/bin:

libeay32.dll

ssleay32.dll

Both files are version 1.0.1.3(c), which is one of the vulnerable versions of OpenSSL. It was been recommended to go to at least 1.0.1.7(g).

I thought I could try copying newly updated files of libeay32.dll and ssleay32.dll to the bin directory, but the server would not start. Is there currently any fix that will be released to address this vulnerability? If not, what are my best options to make sure that this software is not vulnerable?

1 Reply
Highlighted
Enthusiast
Enthusiast

Hi,

You are right that the openssl dlls that are shipped as part of the embedded Postgres version are vulnerable to the heartbleed exploit. However that does not make the the machine running Hyperic vulnerable due to the following configuration:

1. The default configuration of the embedded Postgres is configured to not use an SSL connection to Hyperic so openssl is not used.

2. Postgres is configured to only work with the loopback, which means that no external connections are possible to Postgres

So unless you changed the configuration so Hyperic will connect to Postgres using SSL and you changed Postres configuration to accept external connection you are safe.

The VMware security team tested and validated this configuration.

Just a note for others reading this post that this only applies to Windows versions of Hyperic and not to other variants which do not ship with openssl binaries as part of Postgres.

When we release a maintenance release for the relevant versions we will remove or update these dlls to remove even the slightest chance of a vulnerability. There is a 5.8 maintenance release planned in June which will include this update.

Eran

Product Line Manager | vCloud Operations | VMware