Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries? (876 Views)
Reply
Occasional Collector
ISS-JDR
Posts: 3
Registered: ‎04-17-2014
Message 1 of 6 (975 Views)

Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

We have noticed that at least 3 builds of HP Data Protector 6.2 (32-bit) are using OpenSSL libraries created after December, 2011, but contain no file or product version info:

 

- 06.20.1004

   \Program Files\OmniBack\bin\ssleay32.dll

   2/1/2013 7:09:06 PM 932,664

   \Program Files\OmniBack\bin\libeay32.dll

   2/1/2013 7:08:20 PM 1,296,184

 

- 06.20.0989

   \Program Files\OmniBack\bin\ssleay32.dll

   10/21/2012 2:54:00 AM 932,256

   \Program Files\OmniBack\bin\libeay32.dll

   10/21/2012 2:53:44 AM 1,295,776

 

- 06.20.0951

   \Program Files\OmniBack\bin\ssleay32.dll

   12/10/2011 6:01:26 PM 932,224

   \Program Files\OmniBack\bin\libeay32.dll

   12/10/2011 6:00:34 PM 1,295,744

 

Are any of these libraries vulnerable to the OpenSSL Heartbleed issue?  If so, we will remedy this by upgrading them to the latest HP Data Protector agent version.


Thank you. 

HP Expert
Bob_Clark
Posts: 1,486
Registered: ‎08-14-2013
Message 2 of 6 (939 Views)

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

I am not aware of any Security bulletins that address, I am checking on it now

 

There appears to be a publically-available web site I found by 'googling' HP Security Bulletin

 

http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive?ac.admitted=1397757017244.876444...

 

In the category "HP General SW Security Bulletins", there are a couple of notices that talk about the HeartBleed' virus, but nothing seems to address Data Protector directly

 

 

HP Expert
Bob_Clark
Posts: 1,486
Registered: ‎08-14-2013
Message 3 of 6 (876 Views)

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

The official Security Bulletin regarding HP Products and HeartBleed is available at

 

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04239413

 

The word I get is that Data Protector uses a different version of Open SSL that was not affected by HeartBleed

Occasional Collector
ISS-JDR
Posts: 3
Registered: ‎04-17-2014
Message 4 of 6 (870 Views)

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

We tend to agree.  There's no presence of the magic string 'HEARTBEAT' in these OpenSSL libraries either.  However, they could have been compiled with -DOPENSSL_NO_ERR defined, which would've excluded the error strings.

Regardless, we will continue to monitor for updates from HP.

Thanks for the research and feedback.

Acclaimed Contributor
Dennis Handly
Posts: 25,274
Registered: ‎03-06-2006
Message 5 of 6 (793 Views)

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

[ Edited ]

>The official Security Bulletin regarding HP Products and HeartBleed is available at

 

This appears to be for "servers" only, not software products.

http://www8.hp.com/us/en/heartbleed.html

You may have to search for other products: openssl heartbleed site:hp.com

 

Though your link in message #2 seems to list all products.

Occasional Collector
ISS-JDR
Posts: 3
Registered: ‎04-17-2014
Message 6 of 6 (728 Views)

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

[ Edited ]

Good news.  I found a simple work-around** to verify that these are using OpenSSL library version 0.9.8l -- which is NOT vulnerable.

** The work-around:
notepad.exe libeay32.dll
Find: part of OpenSSL

notepad.exe ssleay32.dll
Find: part of OpenSSL

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.