What's the fix to resolve heartbleed vulnerability for VMTurbo? Our security folks are saying it's popping positive on network scans. We're running the latest version. I'll try searching the forums, but I thought I'd ask here as well.
Check the OS version. Log in to the command line of the VMTurbo Operations Manager using SSH (or directly to the console) with the credentials of user id: root and password: vmturbo (default, if you haven't changed it) and run the following command:
vmturbo:~ # cat /etc/SuSE-release
You should see output which looks like this:
openSUSE 12.3 (x86_64) VERSION = 12.3 CODENAME = Dartmouth
NOTE: If your output differs in any way, please do not continue with these instructions because you are likely running an older version and/or older platform of Operations Manager
Next, check the OpenSSL version:
vmturbo:~ # rpm -qa | grep openssl
You should see output which might look like this:
If your output shows a version less than 1.0.1e-1.44.1.x86_64, your system is vulnerable and you should follow the instructions below to update it as soon as possible.
After verifying the OS and OpenSSL versions, please download the offline update from:
This update contains only the updated OpenSSL libraries. It will not change the build number of your existing Operations Manager.
Instructions for applying an offline
http://your_appliance_URL_or_IP/update.htmlHere is an example:http://10.10.172.27/update.html
** It is recommended that you use FireFox, Chrome or Internet Explorer 10 to perform this update.
2. If you are using the preferred browsers mentioned above you will see this page:
Last step: vmturbo:~ # reboot
NOTE: The openSUSE project uses slightly different version numbers for OpenSSL. The OpenSSL version for openSUSE that contains the fix is 1.0.1e-1.44.1. You may see posted at various sites including heartbleed.com that all versions up to and including 1.0.1f of OpenSSL are vulnerable and that version 1.0.1g is required for the fix, which do not map exactly to OpenSSL packaged with openSUSE.
Note that last bit about the version numbering. It's possible that the network scan being done is not aware of OpenSuSE's alternative version numbering and is comparing the version to "1.0.1g" - correct for most Linux distributions, but not for OpenSuSE.
Retrieving data ...