David, Thank you for the note.
I have forwarded comments to the folks that own the page that AR System was not explicitly called out. They used the product name BMC Remedy ITSM Suite to cover all things Remedy. I have suggested they change it to something like BMC Remedy AR System and ITSM Suite or to add a new set of entries that explicitly state just AR System. Since the ITSM Suite is fundamentally dependent on the AR System. The fact that the ITSM Suite is not affected by the bug means that the AR System is not affected because ITSM could not be unaffected if the technology it was built on (AR System) wasn't also unaffected. So, your environment is clear of the issue. I cannot promise that there will be a change to wording of the messages, but I have forwarded your concerns about the product name. NOTE: As I was still typing in this response, I got a note back from the person coordinating the response that if a change of wording helps, he is more than willing to get that done. At this point, the proposal is to change to say BMC Remedy AR System and ITSM Suite. This way there is not a need to list every app and every component of everything separately, but to still emphasize that the AR System is included in the list as not being affected by the issue. Only versions of the product under current support are listed in this table. The bug was introduced into OpenSSL in 2012. So, nothing that shipped prior to 2012 can be affected by the bug - and all things pre 7.6.04 were shipped prior to 2012. As for the Flash, an initial flash message was sent out the day of the report of the issue and BMC simply sent a note including every product that used OpenSSL as a potential. I posted that the Remedy line was clear to this list within a day or so of that message and then the forma note of this product and others from BMC came out a couple of days following that. I see the one posted was dated April 15. I am not sure why the solutions were listed as unknown at that time as we had the answer on April 9 that the Remedy line (all pieces) are not affected. It may have just been all the information filtering back and caution was in the "unknown until we have all definitive information otherwise" camp. I am not sure who gets the Flash notices or how registered - but will try and see why you did not get something since you believe you are signed up to receive them. Thank you for the comments and hopefully, we can clean up some of the aspects you found confusing quickly and consider these topics in future communications. Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of David Durling Sent: Monday, April 21, 2014 6:37 AM To: arslist@ARSLIST.ORG Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Doug, First, on my part I appreciate your initial note about the status of the Remedy line. However, I was also waiting for an "official" statement - web page or email - that I could send on to management & sort of verify that nothing else had turned up. My confusion was that I couldn't and still can't find "AR System" or any variant of that on http://www.bmc.com/support/support-news/openssl_CVE-2014-0160.html?a= , so just on Friday I told my management that AR System's status was still undermined per the note on that page saying products not in table 1 or 2 are still under investigation. We're all custom ARS, so I figured ITSM apps didn't apply to us. Am I misreading something on that page? Also, I *could* be mistaken but I'm pretty sure I never received a Flash bulletin like the one Jase initially posted about, though I'm subscribed to all "proactive notifications" for AR System Server & Flashboards. (I'm on 7.5 still, so don't know if that has anything to do with what alerts I receive.) Thanks, David David Durling University of Georgia From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Mueller, Doug Sent: Sunday, April 20, 2014 7:20 PM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Andrew, On this topic, I want to understand your statement Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I posted an initial note to the ARSlist and BMC Communities with information about the REMEDY product line. This note summarized the use of OpenSSL and whether aspects of the Remedy line were affected and confirmed that nothing in the Remedy line (including CMDB) was affected. The note further stated that formal communication about the Remedy product and about all other BMC products and whether they were affected was forthcoming from BMC. We just wanted to get information to this large community as quickly as possible. Then, when further evaluation of all products that BMC ships was completed, postings were made to the web site and sent via email that detailed every product and included whether the product was affected or not affected by the issue. The products were clearly placed in one or the other category. This way, there is no question about "well my product is not listed so does it or does it not have an issue"? The products are on the "NOT affected" or on the "Affected" list. There may be a couple that are still under evaluation not on either list and that is because there is not an answer yet. In order for me to share with the BMC team what exactly you found confusing or misdirecting about the communication or any aspect of it, could you please detail what issues you had with communication. You can either post to the list or send me email directly. Then, we can make sure that we work on issues you had so that things can be more clear in the future. If getting some early information about the Remedy line was confusing, we can hold off any information until all information is available (and that would have ment several days delay in getting the information about the Remedy product to our customers). If something about the format or wording or other about the message is the problem, identifying that issue would help the team be more clear in the future. Thank you for any assistance you can offer to clarify your comments about confusion and misdirection on this particular issue. Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Andrew Hicox Sent: Thursday, April 17, 2014 6:03 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Yeah but ADDM is, and you've gotta actually click through to the web page or PDF to find that out (and to find out that nearly everything else on the "ZOMG THESE THINGS ARE AFFECTED BY TEH HEARTBLEEEDZ!!!" email actually are NOT affected.) Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I can't imagine the epic fiasco it must be when support orders out for pizza LOL. On Wednesday, April 16, 2014, Jase Brandon <jasebran...@gmail.com<mailto:jasebran...@gmail.com>> wrote: ** Hello All, Please disregard my last post. I answered my own question after re-reading the BMC Flash. Per Doug's earlier statement, the Remedy product line is not affected :-) Thanks, Jase On Wed, Apr 16, 2014 at 4:15 PM, Jase Brandon <jasebran...@gmail.com<mailto:jasebran...@gmail.com>> wrote: Hello Doug and All, I just got the below mail from BMC. I thought we were all clear that the heartbleed virus was nothing for us to be concerned about regarding the Remedy product line. Is this still the case or should we now be concerned with heartbleed? I've already communicated to our management after Doug's last mail that heartbleed was a non-issue so I'm hoping I don't have to reverse myself. Thanks in Advance, Jase Brandon Sr. Remedy Developer As you requested(1), BMC Software Customer Support is notifying you of the following information: Type(2) Description Date Link BMC Software is alerting users to a serious issue where some BMC Products and services might be vulnerable to the OpenSSL flaw known as Heartbleed (CVE-2014-0160). April 15, 2014 HTML(3)PDF(3) Product Version(s) AppSight Analysis J2EE Named User 7.8.00 AppSight Analysis WIN/NET Named User 7.8.00, 7.7.00 AppSight Code Console 7.8.00, 7.7.00 AppSight Combined Console-Floating 1/5 7.8.00, 7.7.00 AppSight Support System - Enterprise License 7.8.00, 7.7.00 AppSight Support System for J2EE 7.8.00 AppSight Support System for WIN/.NET 7.8.00, 7.7.00 AppSight Support System for WIN/.NET 5 Users 7.8.00, 7.7.00 AppSight Support System for Windows - Additional Console 7.8.00, 7.7.00 AppSight System Blackbox Client 7.8.00, 7.7.00 AppSight System Console 7.8.00, 7.7.00 AppSight System Platform Enabler 7.8.00, 7.7.00 BMC AppSight 7.8.00, 7.7.00 BMC AppSight Additional Platform 1.0.01 BMC AppSight Concurrent Session 1.0.01 BMC AppSight Connector 1.0.01 BMC AppSight Level1 Viewer 1.0.01 BMC AppSight Named User 1.0.01 BMC AppSight QA User 1.0.01 BMC AppSight for .NET 7.8.00 BMC AppSight for Citrix Support User 1.0.01 BMC AppSight for J2EE 7.8.00 BMC Application Management Suite 2.5.00, 2.3.30, 2.3.20, 2.3.10, 2.3.00, 2.2.10, 2.2.00, 2.1.10, 2.1.00, 2.0.00 BMC Application Transaction Tracing 1.0.02, 1.0.01 BMC Atrium CMDB Suite 8.1.01, 8.1.00, 8.0.00, 7.6.04, 7.6.03, 7.6.00 BMC Atrium Discovery and Dependency Mapping 9.0.02, 9.0.01, 9.0.00, 8.3.03, 8.3.02, 8.3.01, 8.3.00, 10.0.00 BMC Atrium Orchestrator - Adapter Add-On License 1.0.01 BMC Atrium Orchestrator - Adapters 8.1.01 BMC Atrium Orchestrator - Development Pack 1.0.01 BMC Atrium Orchestrator - Peer 8.1.01 BMC Atrium Orchestrator - Peer Add-On License 1.0.01 BMC Atrium Orchestrator Application Adapters 7.6.05, 7.6.04, 7.6.03, 7.6.02, 7.6.01, 7.6.00, 7.5.08, 7.5.07, 20.13.02, 20.13.01, 20.12.04, 20.12.03, 20.12.02, 20.12.01, 20.11.03, 20.11.02, 20.11.01 BMC Atrium Orchestrator Automation Pack - Device Endpoint 1.0.01 BMC Atrium Orchestrator Automation Pack - Server Endpoint 8.1.01, 1.0.01 BMC Atrium Orchestrator Base Adapters 7.6.05, 7.6.04, 7.6.03, 7.6.02, 7.6.01, 7.6.00, 7.5.08, 7.5.07, 20.13.02, 20.13.01, 20.12.04, 20.12.03, 20.12.02, 20.12.01, 20.11.03, 20.11.02, 20.11.01 BMC Atrium Orchestrator Development Studio 1.0.00 BMC Atrium Orchestrator Operator Control Panel 1.0.01 BMC Atrium Orchestrator Platform 7.7.01, 7.7.00, 7.6.03, 7.6.02 BMC Atrium Orchestrator Platform Add-On 1.0.00 BMC Atrium Orchestrator Runbooks 7.6.05, 7.6.04, 7.6.03, 7.6.02, 7.6.01, 7.6.00, 7.5.08, 7.5.07, 20.13.02, 20.13.01, 20.12.04, 20.12.03, 20.12.02, 20.12.01, 20.11.03, 20.11.02, 20.11.01 BMC Atrium Orchestrator for Network Automation - Application Adapters 1.0.01 BMC Atrium Orchestrator for Network Automation - Core 8.3.00, 8.1.00, 5.4.00, 5.3.00 BMC Atrium Orchestrator for Network Automation - Run Books 1.0.01 BMC Atrium Orchestrator for Network Automation - Scalability Pack 1.0.01 BMC Atrium Orchestrator for Network Automation - Utility Pack 1.0.01 BMC Atrium Orchestrator for Server Automation - Application Adapters 1.0.01 BMC Atrium Orchestrator for Server Automation - Core 8.3.00, 8.1.00, 8.0.00, 7.5.00 BMC Atrium Orchestrator for Server Automation - Run Books 1.0.01 BMC Atrium Orchestrator for Server Automation - Scalability Pack 1.0.01 BMC Atrium Orchestrator for Server Automation - Utility Pack 1.0.01 BMC Atrium Shared Components 8.1.01, 8.1. _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
