Re: Remedy, OpenSSL, and the Heartbleed bug
Doug, The rewording on http://www.bmc.com/support/support-news/openssl_CVE-2014-0160.html?a= looks good from my perspective, thanks for having it done! As for the Flash email message, it's always possible that I accidentally deleted it - so don't waste too much time chasing that on my account... though since I was on the lookout for just such a message, I tend to think I never got it. Thanks for your responsiveness! David D. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Mueller, Doug Sent: Tuesday, April 22, 2014 5:23 PM To: arslist@ARSLIST.ORG Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** David, Thank you for the note. I have forwarded comments to the folks that own the page that AR System was not explicitly called out. They used the product name BMC Remedy ITSM Suite to cover all things Remedy. I have suggested they change it to something like BMC Remedy AR System and ITSM Suite or to add a new set of entries that explicitly state just AR System. Since the ITSM Suite is fundamentally dependent on the AR System. The fact that the ITSM Suite is not affected by the bug means that the AR System is not affected because ITSM could not be unaffected if the technology it was built on (AR System) wasn't also unaffected. So, your environment is clear of the issue. I cannot promise that there will be a change to wording of the messages, but I have forwarded your concerns about the product name. NOTE: As I was still typing in this response, I got a note back from the person coordinating the response that if a change of wording helps, he is more than willing to get that done. At this point, the proposal is to change to say BMC Remedy AR System and ITSM Suite. This way there is not a need to list every app and every component of everything separately, but to still emphasize that the AR System is included in the list as not being affected by the issue. Only versions of the product under current support are listed in this table. The bug was introduced into OpenSSL in 2012. So, nothing that shipped prior to 2012 can be affected by the bug - and all things pre 7.6.04 were shipped prior to 2012. As for the Flash, an initial flash message was sent out the day of the report of the issue and BMC simply sent a note including every product that used OpenSSL as a potential. I posted that the Remedy line was clear to this list within a day or so of that message and then the forma note of this product and others from BMC came out a couple of days following that. I see the one posted was dated April 15. I am not sure why the solutions were listed as unknown at that time as we had the answer on April 9 that the Remedy line (all pieces) are not affected. It may have just been all the information filtering back and caution was in the "unknown until we have all definitive information otherwise" camp. I am not sure who gets the Flash notices or how registered - but will try and see why you did not get something since you believe you are signed up to receive them. Thank you for the comments and hopefully, we can clean up some of the aspects you found confusing quickly and consider these topics in future communications. Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of David Durling Sent: Monday, April 21, 2014 6:37 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Doug, First, on my part I appreciate your initial note about the status of the Remedy line. However, I was also waiting for an "official" statement - web page or email - that I could send on to management & sort of verify that nothing else had turned up. My confusion was that I couldn't and still can't find "AR System" or any variant of that on http://www.bmc.com/support/support-news/openssl_CVE-2014-0160.html?a= , so just on Friday I told my management that AR System's status was still undermined per the note on that page saying products not in table 1 or 2 are still under investigation. We're all custom ARS, so I figured ITSM apps didn't apply to us. Am I misreading something on that page? Also, I *could* be mistaken but I'm pretty sure I never received a Flash bulletin like the one Jase initially posted about, though I'm subscribed to all "proactive notifications" for AR System Server & Flashboards. (I'm on 7.5 still, so don't know if that has anything to do with what alerts I receive.) Thanks, David David Durling University of Georgia ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Remedy, OpenSSL, and the Heartbleed bug
David, Thank you for the note. I have forwarded comments to the folks that own the page that AR System was not explicitly called out. They used the product name BMC Remedy ITSM Suite to cover all things Remedy. I have suggested they change it to something like BMC Remedy AR System and ITSM Suite or to add a new set of entries that explicitly state just AR System. Since the ITSM Suite is fundamentally dependent on the AR System. The fact that the ITSM Suite is not affected by the bug means that the AR System is not affected because ITSM could not be unaffected if the technology it was built on (AR System) wasn't also unaffected. So, your environment is clear of the issue. I cannot promise that there will be a change to wording of the messages, but I have forwarded your concerns about the product name. NOTE: As I was still typing in this response, I got a note back from the person coordinating the response that if a change of wording helps, he is more than willing to get that done. At this point, the proposal is to change to say BMC Remedy AR System and ITSM Suite. This way there is not a need to list every app and every component of everything separately, but to still emphasize that the AR System is included in the list as not being affected by the issue. Only versions of the product under current support are listed in this table. The bug was introduced into OpenSSL in 2012. So, nothing that shipped prior to 2012 can be affected by the bug - and all things pre 7.6.04 were shipped prior to 2012. As for the Flash, an initial flash message was sent out the day of the report of the issue and BMC simply sent a note including every product that used OpenSSL as a potential. I posted that the Remedy line was clear to this list within a day or so of that message and then the forma note of this product and others from BMC came out a couple of days following that. I see the one posted was dated April 15. I am not sure why the solutions were listed as unknown at that time as we had the answer on April 9 that the Remedy line (all pieces) are not affected. It may have just been all the information filtering back and caution was in the "unknown until we have all definitive information otherwise" camp. I am not sure who gets the Flash notices or how registered - but will try and see why you did not get something since you believe you are signed up to receive them. Thank you for the comments and hopefully, we can clean up some of the aspects you found confusing quickly and consider these topics in future communications. Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of David Durling Sent: Monday, April 21, 2014 6:37 AM To: arslist@ARSLIST.ORG Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Doug, First, on my part I appreciate your initial note about the status of the Remedy line. However, I was also waiting for an "official" statement - web page or email - that I could send on to management & sort of verify that nothing else had turned up. My confusion was that I couldn't and still can't find "AR System" or any variant of that on http://www.bmc.com/support/support-news/openssl_CVE-2014-0160.html?a= , so just on Friday I told my management that AR System's status was still undermined per the note on that page saying products not in table 1 or 2 are still under investigation. We're all custom ARS, so I figured ITSM apps didn't apply to us. Am I misreading something on that page? Also, I *could* be mistaken but I'm pretty sure I never received a Flash bulletin like the one Jase initially posted about, though I'm subscribed to all "proactive notifications" for AR System Server & Flashboards. (I'm on 7.5 still, so don't know if that has anything to do with what alerts I receive.) Thanks, David David Durling University of Georgia From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Mueller, Doug Sent: Sunday, April 20, 2014 7:20 PM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Andrew, On this topic, I want to understand your statement Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I posted an initial note to the ARSlist and BMC Communities with information about the REMEDY product line. This note summarized the use of OpenSSL and whether aspects of the Remedy line were affected and confirmed that nothing in the Remedy line (including CMDB) was affected. The note further stated that formal communication about the Remedy product and about all other BMC products and whether they were affected was forthcoming from BMC. We just wanted to get information to this large community as quickly as po
Re: Remedy, OpenSSL, and the Heartbleed bug
Typo - it should read I thought "AR System's status was still undetermined", not undermined! David D. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of David Durling Sent: Monday, April 21, 2014 9:37 AM To: arslist@ARSLIST.ORG Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Doug, First, on my part I appreciate your initial note about the status of the Remedy line. However, I was also waiting for an "official" statement - web page or email - that I could send on to management & sort of verify that nothing else had turned up. My confusion was that I couldn't and still can't find "AR System" or any variant of that on http://www.bmc.com/support/support-news/openssl_CVE-2014-0160.html?a= , so just on Friday I told my management that AR System's status was still undermined per the note on that page saying products not in table 1 or 2 are still under investigation. We're all custom ARS, so I figured ITSM apps didn't apply to us. Am I misreading something on that page? Also, I *could* be mistaken but I'm pretty sure I never received a Flash bulletin like the one Jase initially posted about, though I'm subscribed to all "proactive notifications" for AR System Server & Flashboards. (I'm on 7.5 still, so don't know if that has anything to do with what alerts I receive.) Thanks, David David Durling University of Georgia From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Mueller, Doug Sent: Sunday, April 20, 2014 7:20 PM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Andrew, On this topic, I want to understand your statement Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I posted an initial note to the ARSlist and BMC Communities with information about the REMEDY product line. This note summarized the use of OpenSSL and whether aspects of the Remedy line were affected and confirmed that nothing in the Remedy line (including CMDB) was affected. The note further stated that formal communication about the Remedy product and about all other BMC products and whether they were affected was forthcoming from BMC. We just wanted to get information to this large community as quickly as possible. Then, when further evaluation of all products that BMC ships was completed, postings were made to the web site and sent via email that detailed every product and included whether the product was affected or not affected by the issue. The products were clearly placed in one or the other category. This way, there is no question about "well my product is not listed so does it or does it not have an issue"? The products are on the "NOT affected" or on the "Affected" list. There may be a couple that are still under evaluation not on either list and that is because there is not an answer yet. In order for me to share with the BMC team what exactly you found confusing or misdirecting about the communication or any aspect of it, could you please detail what issues you had with communication. You can either post to the list or send me email directly. Then, we can make sure that we work on issues you had so that things can be more clear in the future. If getting some early information about the Remedy line was confusing, we can hold off any information until all information is available (and that would have ment several days delay in getting the information about the Remedy product to our customers). If something about the format or wording or other about the message is the problem, identifying that issue would help the team be more clear in the future. Thank you for any assistance you can offer to clarify your comments about confusion and misdirection on this particular issue. Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Andrew Hicox Sent: Thursday, April 17, 2014 6:03 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Yeah but ADDM is, and you've gotta actually click through to the web page or PDF to find that out (and to find out that nearly everything else on the "ZOMG THESE THINGS ARE AFFECTED BY TEH HEARTBLEEEDZ!!!" email actually are NOT affected.) Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I can't imagine the epic fiasco it must be when support orders out for pizza LOL. On Wednesday, April 16, 2014, Jase Brandon mailto:jasebran...@gmail.com>> wrote: ** Hello All, Please disregard my last post. I answered my own question after re-reading the BMC Flash.
Re: Remedy, OpenSSL, and the Heartbleed bug
Doug, First, on my part I appreciate your initial note about the status of the Remedy line. However, I was also waiting for an "official" statement - web page or email - that I could send on to management & sort of verify that nothing else had turned up. My confusion was that I couldn't and still can't find "AR System" or any variant of that on http://www.bmc.com/support/support-news/openssl_CVE-2014-0160.html?a= , so just on Friday I told my management that AR System's status was still undermined per the note on that page saying products not in table 1 or 2 are still under investigation. We're all custom ARS, so I figured ITSM apps didn't apply to us. Am I misreading something on that page? Also, I *could* be mistaken but I'm pretty sure I never received a Flash bulletin like the one Jase initially posted about, though I'm subscribed to all "proactive notifications" for AR System Server & Flashboards. (I'm on 7.5 still, so don't know if that has anything to do with what alerts I receive.) Thanks, David David Durling University of Georgia From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Mueller, Doug Sent: Sunday, April 20, 2014 7:20 PM To: arslist@ARSLIST.ORG Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Andrew, On this topic, I want to understand your statement Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I posted an initial note to the ARSlist and BMC Communities with information about the REMEDY product line. This note summarized the use of OpenSSL and whether aspects of the Remedy line were affected and confirmed that nothing in the Remedy line (including CMDB) was affected. The note further stated that formal communication about the Remedy product and about all other BMC products and whether they were affected was forthcoming from BMC. We just wanted to get information to this large community as quickly as possible. Then, when further evaluation of all products that BMC ships was completed, postings were made to the web site and sent via email that detailed every product and included whether the product was affected or not affected by the issue. The products were clearly placed in one or the other category. This way, there is no question about "well my product is not listed so does it or does it not have an issue"? The products are on the "NOT affected" or on the "Affected" list. There may be a couple that are still under evaluation not on either list and that is because there is not an answer yet. In order for me to share with the BMC team what exactly you found confusing or misdirecting about the communication or any aspect of it, could you please detail what issues you had with communication. You can either post to the list or send me email directly. Then, we can make sure that we work on issues you had so that things can be more clear in the future. If getting some early information about the Remedy line was confusing, we can hold off any information until all information is available (and that would have ment several days delay in getting the information about the Remedy product to our customers). If something about the format or wording or other about the message is the problem, identifying that issue would help the team be more clear in the future. Thank you for any assistance you can offer to clarify your comments about confusion and misdirection on this particular issue. Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Andrew Hicox Sent: Thursday, April 17, 2014 6:03 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Yeah but ADDM is, and you've gotta actually click through to the web page or PDF to find that out (and to find out that nearly everything else on the "ZOMG THESE THINGS ARE AFFECTED BY TEH HEARTBLEEEDZ!!!" email actually are NOT affected.) Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I can't imagine the epic fiasco it must be when support orders out for pizza LOL. On Wednesday, April 16, 2014, Jase Brandon mailto:jasebran...@gmail.com>> wrote: ** Hello All, Please disregard my last post. I answered my own question after re-reading the BMC Flash. Per Doug's earlier statement, the Remedy product line is not affected :-) Thanks, Jase On Wed, Apr 16, 2014 at 4:15 PM, Jase Brandon mailto:jasebran...@gmail.com>> wrote: Hello Doug and All, I just got the below mail from BMC. I thought we were all clear that the heartbleed virus was nothing for us to be concerned about regarding the Remedy product line. Is this
Re: Remedy, OpenSSL, and the Heartbleed bug
Hey Doug, I was a little confused by the email from BMC as well. However, since our system in in house our security team is using your email (and some security scans) as the basis that Remedy/ITSM 7.6.4 is ok. Take care, Howard Sent from one of Howard's iPads > On Apr 20, 2014, at 7:20 PM, "Mueller, Doug" wrote: > > ** > Andrew, > > On this topic, I want to understand your statement > > Why is it that literally every single communication with BMC is shrouded by a > cloud of confusion or outright misdirection lately? > > I posted an initial note to the ARSlist and BMC Communities with information > about the REMEDY product line. > This note summarized the use of OpenSSL and whether aspects of the Remedy > line were affected and > confirmed that nothing in the Remedy line (including CMDB) was affected. The > note further stated that > formal communication about the Remedy product and about all other BMC > products and whether they were > affected was forthcoming from BMC. We just wanted to get information to > this large community as quickly > as possible. > > Then, when further evaluation of all products that BMC ships was completed, > postings were made to the web > site and sent via email that detailed every product and included whether the > product was affected or not > affected by the issue. The products were clearly placed in one or the other > category. This way, there is no > question about "well my product is not listed so does it or does it not have > an issue"? The products are > on the "NOT affected" or on the "Affected" list. There may be a couple that > are still under evaluation not on > either list and that is because there is not an answer yet. > > In order for me to share with the BMC team what exactly you found confusing > or misdirecting about the > communication or any aspect of it, could you please detail what issues you > had with communication. You > can either post to the list or send me email directly. Then, we can make > sure that we work on issues you > had so that things can be more clear in the future. > > If getting some early information about the Remedy line was confusing, we can > hold off any information until > all information is available (and that would have ment several days delay in > getting the information about > the Remedy product to our customers). > > If something about the format or wording or other about the message is the > problem, identifying that issue > would help the team be more clear in the future. > > Thank you for any assistance you can offer to clarify your comments about > confusion and misdirection on this > particular issue. > > Doug Mueller > > From: Action Request System discussion list(ARSList) > [mailto:arslist@ARSLIST.ORG] On Behalf Of Andrew Hicox > Sent: Thursday, April 17, 2014 6:03 AM > To: arslist@ARSLIST.ORG > Subject: Re: Remedy, OpenSSL, and the Heartbleed bug > > ** > Yeah but ADDM is, and you've gotta actually click through to the web page or > PDF to find that out (and to find out that nearly everything else on the > "ZOMG THESE THINGS ARE AFFECTED BY TEH HEARTBLEEEDZ!!!" email actually are > NOT affected.) > > Why is it that literally every single communication with BMC is shrouded by a > cloud of confusion or outright misdirection lately? I can't imagine the epic > fiasco it must be when support orders out for pizza LOL. > > > > On Wednesday, April 16, 2014, Jase Brandon wrote: > ** > Hello All, > Please disregard my last post. I answered my own question after re-reading > the BMC Flash. Per Doug's earlier statement, the Remedy product line is not > affected :-) > > Thanks, > > Jase > > > On Wed, Apr 16, 2014 at 4:15 PM, Jase Brandon wrote: > Hello Doug and All, > I just got the below mail from BMC. I thought we were all clear that the > heartbleed virus was nothing for us to be concerned about regarding the > Remedy product line. Is this still the case or should we now be concerned > with heartbleed? > I've already communicated to our management after Doug's last mail that > heartbleed was a non-issue so I'm hoping I don't have to reverse myself. > > Thanks in Advance, > > Jase Brandon > Sr. Remedy Developer > > As you requested(1), BMC Software Customer Support is notifying you of the > following information: > Type(2)DescriptionDateLink > BMC Software is alerting users to a serious issue where some BMC Products > and services might be vulnerable to the OpenSSL flaw known as Heartbleed > (CVE-2014-0160).Apri
Re: Remedy, OpenSSL, and the Heartbleed bug
Andrew, On this topic, I want to understand your statement Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I posted an initial note to the ARSlist and BMC Communities with information about the REMEDY product line. This note summarized the use of OpenSSL and whether aspects of the Remedy line were affected and confirmed that nothing in the Remedy line (including CMDB) was affected. The note further stated that formal communication about the Remedy product and about all other BMC products and whether they were affected was forthcoming from BMC. We just wanted to get information to this large community as quickly as possible. Then, when further evaluation of all products that BMC ships was completed, postings were made to the web site and sent via email that detailed every product and included whether the product was affected or not affected by the issue. The products were clearly placed in one or the other category. This way, there is no question about "well my product is not listed so does it or does it not have an issue"? The products are on the "NOT affected" or on the "Affected" list. There may be a couple that are still under evaluation not on either list and that is because there is not an answer yet. In order for me to share with the BMC team what exactly you found confusing or misdirecting about the communication or any aspect of it, could you please detail what issues you had with communication. You can either post to the list or send me email directly. Then, we can make sure that we work on issues you had so that things can be more clear in the future. If getting some early information about the Remedy line was confusing, we can hold off any information until all information is available (and that would have ment several days delay in getting the information about the Remedy product to our customers). If something about the format or wording or other about the message is the problem, identifying that issue would help the team be more clear in the future. Thank you for any assistance you can offer to clarify your comments about confusion and misdirection on this particular issue. Doug Mueller From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Andrew Hicox Sent: Thursday, April 17, 2014 6:03 AM To: arslist@ARSLIST.ORG Subject: Re: Remedy, OpenSSL, and the Heartbleed bug ** Yeah but ADDM is, and you've gotta actually click through to the web page or PDF to find that out (and to find out that nearly everything else on the "ZOMG THESE THINGS ARE AFFECTED BY TEH HEARTBLEEEDZ!!!" email actually are NOT affected.) Why is it that literally every single communication with BMC is shrouded by a cloud of confusion or outright misdirection lately? I can't imagine the epic fiasco it must be when support orders out for pizza LOL. On Wednesday, April 16, 2014, Jase Brandon mailto:jasebran...@gmail.com>> wrote: ** Hello All, Please disregard my last post. I answered my own question after re-reading the BMC Flash. Per Doug's earlier statement, the Remedy product line is not affected :-) Thanks, Jase On Wed, Apr 16, 2014 at 4:15 PM, Jase Brandon mailto:jasebran...@gmail.com>> wrote: Hello Doug and All, I just got the below mail from BMC. I thought we were all clear that the heartbleed virus was nothing for us to be concerned about regarding the Remedy product line. Is this still the case or should we now be concerned with heartbleed? I've already communicated to our management after Doug's last mail that heartbleed was a non-issue so I'm hoping I don't have to reverse myself. Thanks in Advance, Jase Brandon Sr. Remedy Developer As you requested(1), BMC Software Customer Support is notifying you of the following information: Type(2)DescriptionDateLink BMC Software is alerting users to a serious issue where some BMC Products and services might be vulnerable to the OpenSSL flaw known as Heartbleed (CVE-2014-0160).April 15, 2014HTML(3)PDF(3) ProductVersion(s) AppSight Analysis J2EE Named User7.8.00 AppSight Analysis WIN/NET Named User7.8.00, 7.7.00 AppSight Code Console7.8.00, 7.7.00 AppSight Combined Console-Floating 1/57.8.00, 7.7.00 AppSight Support System - Enterprise License7.8.00, 7.7.00 AppSight Support System for J2EE7.8.00 AppSight Support System for WIN/.NET7.8.00, 7.7.00 AppSight Support System for WIN/.NET 5 Users7.8.00, 7.7.00 AppSight Support System for Windows - Additional Console7.8.00, 7.7.00 AppSight System Blackbox Client7.8.00, 7.7.00 AppSight System Console7.8.00, 7.7.00 AppSight System Platform Enabler7.8.00, 7.7.00 BMC AppSight7.8.00, 7.7.00 BMC AppSight Additional Platform1.0.01
Re: Remedy, OpenSSL, and the Heartbleed bug
Hi everyone, At least one bright point in the BMC habit to use really old versions of other vendors software. However I would be really happy if they would update at least the ehcache manager version which is used on midtiers. Existing is at least 2.5.0 but midtier 8.1 still uses 2.0.1 :( anyway thanks for this info Doug. best regards Marek On 10/04/2014 05:57, DEE wrote: ** Thank you Doug, This is perfect. DEE -Original Message- From: Mueller, Doug To: arslist Sent: Wed, Apr 9, 2014 11:30 pm Subject: Remedy, OpenSSL, and the Heartbleed bug ** Everyone, I am sure that most if not all of you have seen the reports in the media about the security bug (called the Heartbleed bug) that has been found out on the internet. Some details: OpenSSL is the source of the bug. It is a technology used for encryption. The AR System environment uses this technology for password encryption and to encrypt the data as it flows across the wire. The issue was introduced in version 1.0.1 of OpenSSL (released March 2012) and is present in 1.0.1 and 1.0.1a through 1.0.1f of that product. There is a corrected version that was released April 7, 2014 that corrects the error. The error is NOT present in the 0.9.8 or 1.0.0 versions of the product. The AR System uses the 0.9.8 version of the OpenSSL libraries. We have gone through the build trees to confirm this for versions 7.6.04, 8.0, and 8.1 and the service packs and patches for those releases. For all of them, we are using the 0.9.8 version. This means that the AR System, its plugins, its applications, the CMDB, the API, and etc… is not affected by the Heartbleed bug and there is no action you need to take on your environment. BMC is investigating all of the products it ships to check which ones of them may have issues due to this bug. There will be a formal announcement in the near future of BMCs exposure and the remediation plans for any exposure found. This will include the official announcement from BMC about the AR System environment. I just wanted to share the information with this list as soon as it was confirmed that there was no issue with the Remedy product line. Doug Mueller _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Remedy, OpenSSL, and the Heartbleed bug
Thank you Doug, This is perfect. DEE -Original Message- From: Mueller, Doug To: arslist Sent: Wed, Apr 9, 2014 11:30 pm Subject: Remedy, OpenSSL, and the Heartbleed bug ** Everyone, I am sure that most if not all of you have seen the reports in the media about the security bug (called the Heartbleed bug) that has been found out on the internet. Some details: OpenSSL is the source of the bug. It is a technology used for encryption. The AR System environment uses this technology for password encryption and to encrypt the data as it flows across the wire. The issue was introduced in version 1.0.1 of OpenSSL (released March 2012) and is present in 1.0.1 and 1.0.1a through 1.0.1f of that product. There is a corrected version that was released April 7, 2014 that corrects the error. The error is NOT present in the 0.9.8 or 1.0.0 versions of the product. The AR System uses the 0.9.8 version of the OpenSSL libraries. We have gone through the build trees to confirm this for versions 7.6.04, 8.0, and 8.1 and the service packs and patches for those releases. For all of them, we are using the 0.9.8 version. This means that the AR System, its plugins, its applications, the CMDB, the API, and etc… is not affected by the Heartbleed bug and there is no action you need to take on your environment. BMC is investigating all of the products it ships to check which ones of them may have issues due to this bug. There will be a formal announcement in the near future of BMCs exposure and the remediation plans for any exposure found. This will include the official announcement from BMC about the AR System environment. I just wanted to share the information with this list as soon as it was confirmed that there was no issue with the Remedy product line. Doug Mueller _ARSlist: "Where the Answers Are" and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"