Data Protector Practitioners Forum
Showing results for 
Search instead for 
Do you mean 

Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

Occasional Collector

Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

We have noticed that at least 3 builds of HP Data Protector 6.2 (32-bit) are using OpenSSL libraries created after December, 2011, but contain no file or product version info:

 

- 06.20.1004

   \Program Files\OmniBack\bin\ssleay32.dll

   2/1/2013 7:09:06 PM 932,664

   \Program Files\OmniBack\bin\libeay32.dll

   2/1/2013 7:08:20 PM 1,296,184

 

- 06.20.0989

   \Program Files\OmniBack\bin\ssleay32.dll

   10/21/2012 2:54:00 AM 932,256

   \Program Files\OmniBack\bin\libeay32.dll

   10/21/2012 2:53:44 AM 1,295,776

 

- 06.20.0951

   \Program Files\OmniBack\bin\ssleay32.dll

   12/10/2011 6:01:26 PM 932,224

   \Program Files\OmniBack\bin\libeay32.dll

   12/10/2011 6:00:34 PM 1,295,744

 

Are any of these libraries vulnerable to the OpenSSL Heartbleed issue?  If so, we will remedy this by upgrading them to the latest HP Data Protector agent version.


Thank you. 

5 REPLIES
HPE Expert

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

I am not aware of any Security bulletins that address, I am checking on it now

 

There appears to be a publically-available web site I found by 'googling' HP Security Bulletin

 

http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive?ac.admitted=1397757017244.876444892.199480143

 

In the category "HP General SW Security Bulletins", there are a couple of notices that talk about the HeartBleed' virus, but nothing seems to address Data Protector directly

 

 

Highlighted
HPE Expert

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

The official Security Bulletin regarding HP Products and HeartBleed is available at

 

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04239413

 

The word I get is that Data Protector uses a different version of Open SSL that was not affected by HeartBleed

Occasional Collector

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

We tend to agree.  There's no presence of the magic string 'HEARTBEAT' in these OpenSSL libraries either.  However, they could have been compiled with -DOPENSSL_NO_ERR defined, which would've excluded the error strings.

Regardless, we will continue to monitor for updates from HP.

Thanks for the research and feedback.

Acclaimed Contributor Acclaimed Contributor

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

[ Edited ]

>The official Security Bulletin regarding HP Products and HeartBleed is available at

 

This appears to be for "servers" only, not software products.

http://www8.hp.com/us/en/heartbleed.html

You may have to search for other products: openssl heartbleed site:hp.com

 

Though your link in message #2 seems to list all products.

Occasional Collector

Re: Is HP Data Protector 6.2 using vulnerable OpenSSL Heartbleed libraries?

[ Edited ]

Good news.  I found a simple work-around** to verify that these are using OpenSSL library version 0.9.8l -- which is NOT vulnerable.

** The work-around:
notepad.exe libeay32.dll
Find: part of OpenSSL

notepad.exe ssleay32.dll
Find: part of OpenSSL