In keeping up with the Heartbleed vulnerability, my 5.7.1 setup comes installed with the PostgreSQL embedded database. The PostgreSQL database has components of OpenSSL. There are two vulnerable files located within server-5.7.1/hqdb/bin:
Both files are version 220.127.116.11(c), which is one of the vulnerable versions of OpenSSL. It was been recommended to go to at least 18.104.22.168(g).
I thought I could try copying newly updated files of libeay32.dll and ssleay32.dll to the bin directory, but the server would not start. Is there currently any fix that will be released to address this vulnerability? If not, what are my best options to make sure that this software is not vulnerable?
You are right that the openssl dlls that are shipped as part of the embedded Postgres version are vulnerable to the heartbleed exploit. However that does not make the the machine running Hyperic vulnerable due to the following configuration:
1. The default configuration of the embedded Postgres is configured to not use an SSL connection to Hyperic so openssl is not used.
2. Postgres is configured to only work with the loopback, which means that no external connections are possible to Postgres
So unless you changed the configuration so Hyperic will connect to Postgres using SSL and you changed Postres configuration to accept external connection you are safe.
The VMware security team tested and validated this configuration.
Just a note for others reading this post that this only applies to Windows versions of Hyperic and not to other variants which do not ship with openssl binaries as part of Postgres.
When we release a maintenance release for the relevant versions we will remove or update these dlls to remove even the slightest chance of a vulnerability. There is a 5.8 maintenance release planned in June which will include this update.