OPENSSL VULNERABILITY - THE “HEARTBLEED” BUG EFFECT ON PRIMERGY AND RELATED SOFTWARE
PROBLEM / QUESTION
A significant and serious security vulnerability, known as Heartbleed has been identified in the popular OpenSSL cryptographic protocol that affects Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption.
Many users now are concerned about the security of Fujitsu software and services and need to know whether or not action is required in order to restore secure communication.
This SupportBulletin is intended to answer the most common questions regarding the effect of the Heartbleed bug on Fujitsu PRIMERGY software and services.
AFFECTED AND UNAFFECTED PRODUCTS
- The following Fujitsu PRIMERGY product is affected:
- ServerView RAID Manager versions 5.5, 5.6 and 5.7
- The following Fujitsu PRIMERGY products are not affected:
- Fujitsu does not consider CVE-2014-0160 to be a security vulnerability for any of the following ServerView Suite products:
ServerView Installation Manager
ServerView Scripting Toolkit (WIN PE and Linux)
ServerView PXE Mass Update Tools
ServerView Integration Pack for Altiris
ServerView Deployment Manager
ServerView Operations Manager for Windows and Linux
ServerView Agents and Providers for Windows
ServerView Agents and Providers for Linux
ServerView CIM Providers for ESXi
ServerView Update Manager Express
ServerView Online Diagnostics
ServerView Virtual I/O Manager
ServerView Integration Packages for Microsoft System Center products
ServerView Integration Package for HP Operations Manager
ServerView Integration Package for HP OpenView NNM
ServerView Plug-in for Nagios
ServerView Plug-in for VMware VCenter
ServerView iRMC S1/S2/S3/S4
ServerView Management Blade (MMB) of BX400, BX600 or BX900
- Fujitsu does not consider CVE-2014-0160 to be a security vulnerability for any of the following components:
Baseboard Management Controller (BMC) of CX250 S1/S2
cBlades of PRIMERGY BladeFrame BF200 / BF400 S2
PY BX600 Eth Switch 1Gb 10/6+2 (SB9)
PY CB Eth Switch/IBP 1Gb 18/6 (SB6)
PY CB Eth Switch/IBP 36/8+2x10Gb (SB11)
PY CB Eth Switch/IBP 1Gb 36/12 (SB11a)
PY CB Eth Switch/IBP 10Gb 18/8 (SBAX2)
CB DCB Switch FEX B22F 10Gb 16/8 (Cisco)
Mellanox IB switch
Mellanox IB HBA
Intel IB switch
Intel IB HBA
Linux operating systems
may also be affected
by the Heartbleed vulnerability and may have to be updated! Please note that affected versions require adjustments if ServerView Operations Manager
is running on these systems (see section Solution / Workaround
below)! A list of affected versions can be found here:
SOLUTION / WORKAROUND
ServerView RAID Manager:
Updated versions of ServerView RAID Manager 5.6, 5.7 as well as a new version 5.8 are already available. Please update to latest versions – depending on hardware respectively operating system:
- The new version 5.8.5 of ServerView RAID Manager is already available on the Fujitsu Driver & Downloads web server and also on the ServerView Installation Manager DVD 11.14.4!
- The corrected version 5.7.11 of ServerView RAID Manager – which is only required for VMware ESX Server 4.0 – is already available on the Fujitsu Driver & Downloads web server!
- The corrected version 5.6.7 of ServerView RAID Manager – which is only required for older RAID controllers**) – is already available on the Fujitsu Driver & Downloads web server!
**) Please use the following ServerView RAID Manager versions for older RAID controllers:
- - ServerView RAID Manager 5.6.7 which supports Adaptec HostRAID, IBM ServeRAID, LSI SCSI RAID, Promise RAID controllers
- ServerView RAID Manager 2.3.18 which supports Adaptec 2120S, 2200S, 2020ZCR (not affected by the vulnerability; no update is necessary)
The corrected versions are available for download on the Fujitsu Driver & Downloadss web server.
Until the corrected versions are installed, please make sure that the server which is running ServerView RAID Manager is not reachable from the Internet! Deinstalling ServerView RAID Manager involves the risk of not being able to monitor the status of the server’s RAID or any occurring problems. It might therefore be more advisable to restrict the web access of ServerView RAID Manager to the local system. The following options can be changed within the configuration file of ServerView RAID Manager:
- Edit the file amDPatch.ini in directory %ProgramFiles%\Fujitsu\ServerView Suite\RAID Manager\bin (Windows) respectively /opt/Fujitsu/ServerViewSuite/RAIDManager/bin (Linux, VMware ESX Server).
- In order to refuse external connections to the web interface of ServerView RAID Manager, please use the following option:
LocalConnections = 1
(Default: LocalConnections = 0) ***)
This is the recommended setting until the corrected version of ServerView RAID Manager has been installed. This option only allows local connections to the web interface by using the web address https://localhost:3173.
- Additionally customers who want to completely restrict the access to the web interface of ServerView RAID Manager may also remove the value SJT from the Modules option:
Modules = amSNMP, amMPX, amCmd, amEMSV
(Default: Modules = SJT, amSNMP, amMPX, amCmd, amEMSV) ***)
This will refuse any access to the web interface of ServerView RAID Manager. It's then still possible to manage the server's RAID by using the local ServerView RAID Manager amCLI command (please see the ServerView RAID Manager manual for more information).
- In order to enable the new settings, it is necessary to restart the ServerView RAID Manager service amService (Windows) respectively amDaemon (Linux, VMware ESX Server)!
***) After installation of the corrected version of ServerView RAID Manager, please check these options and revert to the default value if necessary.
ServerView Suite on Linux Operating Systems:
It is strongly recommended to examine the operating system and hypervisor, as well as any hardware, middleware or software products on all existing servers for CVE-2014-0160 vulnerability and to engage their respective vendors for information.
An affected Linux distribution should be updated to a not affected OpenSSL version as soon as possible. The necessary procedure is also described here:
In addition, two symbolic links have to be adapted if ServerView Operations Manager is installed on these systems:
- Remove the following existing symbolic links for ServerView / OpenSSL:
- Establish new symbolic links for ServerView pointing to the updated – not affected – OpenSSL version. The example below lists the commands for OpenSSL version 1.0.1g:
ln -s /usr/lib/libssl.so.1.0.1g /usr/lib/serverview/libssl.so
ln -s /usr/lib/libcrypto.so.1.0.1g /usr/lib/serverview/libcrypto.so
VMware ESXi 5.5
A new Fujitsu custom image has been released to solve the problem of the affected VMware product. The Fujitsu Custom Offline Bundle ESXi 5.5 Update 1
(version 311.1.1746018) has been released and is available for download on the Fujitsu Driver & Downloads
After applying all necessary fixes for ServerView RAID Manager and/or Linux operating systems, please consider to change certificates, passwords, etc. Please check the Internet for additional information on doing so. A good starting point might be http://heartbleed.com
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. FUJITSU RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. FUJITSU EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
Last Update: 02.06.2014