Let's say, for the sake of argument, that you absolutely cannot update to the latest version of SMH, VCA or VCRM. All 3 of those have recently been updated to include OpenSSL 1.0.1g, but let's pretend you can't update for whatever reason (compatibility concerns, effort involved, etc.
You could, if you want, simply download OpenSSL 1.0.1g for your OS and update the files yourself. I don't have any physical boxes running Linux so I won't pretend to know about that, but someone already mentioned how a few posts up.
For Windows, you download a compiled version and you should have a couple of DLL's to focus on:
ssleay32.dll
libeay32.dll
If you're having trouble finding compiled versions of those DLL's, well hey, just extract the contents of the latest VCA, VCRM or SMH and they're inside there, both 32 and 64 bit versions.
On your Windows machine, under C:\HP you'll find multiple locations where those files exist, depending on what all you have installed. On my machine which has SMH, VCA *and* VCRM installed, there are 4 spots where both files live:
C:\hp\hpsmh\bin\libeay32.dll
C:\hp\hpsmh\bin\ssleay32.dll
C:\hp\hpsmh\data\cgi-bin\vcagent\libeay32.dll
C:\hp\hpsmh\data\cgi-bin\vcagent\ssleay32.dll
C:\hp\hpsmh\data\cgi-bin\vcrepository\libeay32.dll
C:\hp\hpsmh\data\cgi-bin\vcrepository\ssleay32.dll
C:\hp\hpsmh\modules\libeay32.dll
C:\hp\hpsmh\modules\ssleay32.dll
I can't quite figure out why, but the DLLs located in hpsmh\bin and hpsmh\modules are slightly different filesizes than the ones in vcagent and vcrepository... they're all 1.0.1g though, and the 64-bit version on my 64-bit Windows, but it's odd. It's like HP compiled them differently. I think it'd be safe to use the same one for all the spots though, but if you really want to be sure, extract the specific files from the specific HP software.
Anyway, copy over either the 32 or 64 bit version depending on what you're running. You'll need to stop the services first of course. If you use the files from inside the HP software, the 64-bit versions have "x64" in the filename, so just copy them over to the regular filename.
If none of this is making any sense, then you probably shouldn't be attempting something like this... just saying...
Oh, and if you're running HP SIM, there's no new version out yet, but it's running an older version of OpenSSL that isn't vulnerable. I just checked, and my HP SIM 7.3 with the latest hotfixes only has version 0.9.8d. Seems like HP SIM is safe only by it's extreme negligence in keeping it's SSL libraries up to date in the first place. Could be worse I guess.
Of course your best bet is to install the latest HP software anyway because there's more fixes besides just OpenSSL, but if none of them apply to you and you're happy with the version you're on, this could be an easier way to go to secure things. Just script something to stop those services remotely, copy the new files out where they belong, and restart.
Disclaimer: I have NOT tried this out myself, but when Heartbleed was first announced, I looked into doing this as a plan B in case HP dragged it's feet getting it patched properly. If it doesn't work, keep those old DLL's handy and roll back if needed.
