1 Reply Latest reply on May 29, 2014 1:44 PM by ecarmel

    Hyperic 5.7.1 - Heartbleed

    HypericHQ_4U Novice

      Hello,

       

      In keeping up with the Heartbleed vulnerability, my 5.7.1 setup comes installed with the PostgreSQL embedded database. The PostgreSQL database has components of OpenSSL. There are two vulnerable files located within server-5.7.1/hqdb/bin:

       

      libeay32.dll

      ssleay32.dll

       

      Both files are version 1.0.1.3(c), which is one of the vulnerable versions of OpenSSL. It was been recommended to go to at least 1.0.1.7(g).

       

      I thought I could try copying newly updated files of libeay32.dll and ssleay32.dll to the bin directory, but the server would not start. Is there currently any fix that will be released to address this vulnerability? If not, what are my best options to make sure that this software is not vulnerable?

        • 1. Re: Hyperic 5.7.1 - Heartbleed
          ecarmel Enthusiast
          VMware Employees

          Hi,

          You are right that the openssl dlls that are shipped as part of the embedded Postgres version are vulnerable to the heartbleed exploit. However that does not make the the machine running Hyperic vulnerable due to the following configuration:

          1. The default configuration of the embedded Postgres is configured to not use an SSL connection to Hyperic so openssl is not used.

          2. Postgres is configured to only work with the loopback, which means that no external connections are possible to Postgres

          So unless you changed the configuration so Hyperic will connect to Postgres using SSL and you changed Postres configuration to accept external connection you are safe.

           

          The VMware security team tested and validated this configuration.

           

          Just a note for others reading this post that this only applies to Windows versions of Hyperic and not to other variants which do not ship with openssl binaries as part of Postgres.

           

          When we release a maintenance release for the relevant versions we will remove or update these dlls to remove even the slightest chance of a vulnerability. There is a 5.8 maintenance release planned in June which will include this update.

           

          Eran