1 Reply Latest reply on Apr 11, 2014 7:26 AM by stuart.nathaniel@communisis.com

    Heartbleed and the LEM

    curtisi

      Hey all!

       

      We've had only one person four people call into support to ask this so far that I know of, but I figure I'll post this:

       

      The LEM is safe from Heartbleed.

       

      If you don't know what Heartbleed is, you ought to go find out, especially if you use any OpenSSL in your environment.

       

      What version of OpenSSL is the LEM using?

       

      I ran the dpkg --list on my lab LEM for your benefit and to verify.  The version in LEM 5.7 is:

       

      openssl 0.9.8o-4squeeze14

       

      As with many applications, if you're not on 5.7, you should upgrade to make sure you have the latest security patches and vulnerability fixes, as well as the newest and coolest features.

       

      What versions of the OpenSSL are affected?

       

      Status of different versions:

       

      OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

      OpenSSL 1.0.1g is NOT vulnerable

      OpenSSL 1.0.0 branch is NOT vulnerable

      OpenSSL 0.9.8 branch is NOT vulnerable

       

      Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

       

      Update

      The official SW post on Heartbleed, including all SW products and their status and what you need to do (which is generally "Nothing, take a deep breath, don't panic"), is here: SolarWinds Heartbleed impact roll-up - (Executive summary: Don't worry)