Server makers rushing out Heartbleed patches

Enterprise IT vendors are rushing to protect users from the Heartbleed bug, which has been found in some servers and networking gear and could allow attackers to steal critical data -- including passwords and encryption keys -- from the memories of exposed systems.

Hewlett-Packard, Dell and IBM have set up pages that identify hardware and software products affected by Heartbleed, which exposes a critical defect in certain versions of OpenSSL, a software library for secure communication over the Internet and networks.

The bug, which was detailed last week, has already been patched in a new version of OpenSSL, but hardware companies are now racing to patch products relying on older versions. Firmware and software patches have been issued for HP's BladeSystems and IBM's AIX servers and also Dell's appliances and networking equipment. In advisories, the server makers have advised customers to investigate hypervisors, OSes and middleware for possible vulnerabilities.

Some HP servers use OpenSSL for encryption and secure communication, and the company is conducting an "aggressive and comprehensive review of all actively supported products" for exposure to the Heartbleed bug, an HP support page said. The security updates are available for free to all customers, an HP spokesman said in an email on Monday.

HP on Sunday issued patches for some versions of server management tools BladeSystem c-Class Onboard Administrator, Smart Update Manager and the System Management Homepage running OpenSSL on Linux and Windows.

HP last week said it had not yet identified networking equipment affected by Heartbleed, but would continue investigating products.

Dell's PowerEdge servers and OpenManage system management products are not likely affected by Heartbleed. But in a comprehensive Heartbleed advisory, Dell identified system management, security appliances and networking equipment affected by the bug.

Dell is working on patches for the Kace K3000 mobile-device management appliance, some Foglight network appliances and networking equipment running on Dell's Networking Operating System (FTOS). The company has already issued firmware patches for affected SonicWall security appliances, and the advisory page on Dell's website will be updated when fixes for more products are released.

IBM has found the Heartbleed bug affecting AIX servers, which use OpenSSL to implement communication across clusters via the TLS (Transport Security Layer) protocol. OpenSSL also enables SSL (Secure Sockets Layer) for secure communication over the Internet.

IBM has issued an OpenSSL patch for servers that shipped with AIX 6.1 OS with the TL9 protocol and AIX 7.1 with the TL3 protocol. IBM is also recommending upgrading to the new OpenSSL version on GPFS (General Parallel File System) versions 3.4 and V3.5 for AIX and Linux for Power and x86 servers. Software including WebSphere MQ, Sametime Community Server version 9 HF1 and Cloudant are affected by the Heartland bug.

IBM in an advisory suggested System Z server customers subscribe to the System z Security Portal for the latest patches and software updates.

Agam Shah covers PCs, tablets, servers, chips and semiconductors for IDG News Service. Follow Agam on Twitter at @agamsh. Agam's e-mail address is agam_shah@idg.com