Tenable has updated the products to address this issue. Please see the product-specific instructions below:
Nessus
Tenable has released version 5.2.7 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0m), which is not affected.
To update your Nessus installation, follow these steps:
- Download the appropriate installation file to the system hosting Nessus or Nessus Enterprise, available at the Tenable Support Portal (https://support.tenable.com/support-center/index.php?x=&mod_id=200)
- Stop the Nessus service.
- Install according to your operating system procedures.
- Restart the Nessus service.
SecurityCenter
Tenable has released a patch for all supported versions of SecurityCenter that addresses this vulnerability. The following patches apply OpenSSL 1.0.1h, which is not affected.:
http://static.tenable.com/prod_docs/upgrade_security_center.html
The patch can be obtained from:
https://support.tenable.com/support-center/index.php?x=&mod_id=160
SecurityCenter 4.8.1 patches:
File md5sum
sc4.8.1-rh6-64.tgz 4ad4fb7bee4546d4c3a59b3ae3da39a6
sc4.8.1-rh6-32.tgz 7a9b66ac070bb322d9eb9127beedab57
sc4.8.1-rh5-64.tgz 003fd53de9d56568d3c29e08c93bcb90
sc4.8.1-rh5-32.tgz 639d867aee00d05f10d71c35ea5683bc
SecurityCenter 4.7.1 patches:
File md5sum
sc4.7.1-rh6-64.tgz 0c23ec8403b4f865953eb5aca6248f16
sc4.7.1-rh6-32.tgz 31e802c05658d9e363174cdaca5461ac
sc4.7.1-rh5-64.tgz d88d8e5842122da166fcb45ccda01233
sc4.7.1-rh5-32.tgz 3e9f009924e692aeae0e795c74b17a2f
SecurityCenter 4.6.2.2 patches:
File md5sum
sc4.6.2.2-rh6-64.tgz 4df5e9904c58a881fa01ca5ac6c52dde
sc4.6.2.2-rh6-32.tgz c014d0258a8af365e5cd609741ea8aab
sc4.6.2.2-rh5-64.tgz fd160d7edb47a00a015624048b941583
sc4.6.2.2-rh5-32.tgz ca22c43ca32b9bc6698c3cc2300ef8f7
Note that the original patches included in this advisory have been deprecated in favor of a newer set of patches listed above that fixes additional issues covered in TNS-2014-04.
PVS
Tenable has released version 4.0.3 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0m), which is not affected. Upgrade information can be found at:
http://static.tenable.com/prod_docs/upgrade_pvs.html
The updated version of PVS can be obtained from:
https://support.tenable.com/support-center/index.php?x=&mod_id=170
File md5sum
pvs-4.0.3-es5.i386.rpm 4ada80893dbe51d65f12231ab025f145
pvs-4.0.3-es5.x86_64.rpm a6f9b1cc7c4ce29b48b1d1a1e593e4a6
pvs-4.0.3-es6.i686.rpm 3300f2a74750ab1f7c3fe29910d24975
pvs-4.0.3-es6.x86_64.rpm 5980cda1958ed8e9507b74aefd23e2fc
pvs-4.0.3-i386.exe 9b53139d6542e893fc5464819bb64dc5
pvs-4.0.3-x64.exe 73e877ba0a83cffa6c5ce56aac2607fc
pvs-4.0.3-osx.dmg 7d7cc3679a00ea67a79a742c90361f52
LCE
Tenable has released a patch for lce_report_proxyd for 4.2.x versions of the Log Correlation Engine (LCE) that address this vulnerability (note that 4.0.2 is supported, but not vulnerable). This patch applies OpenSSL 1.0.0m, which is not affected. The patch can be obtained from:
https://support.tenable.com/support-center/index.php?x=&mod_id=180
Patches
File md5sum
lce_report_proxyd_el5_i386 00d7710fd58e4cc0299a5c21b2307e5c
lce_report_proxyd_el5_x86_64 6ce1006d6a5774e5a74a8953b184708a
lce_report_proxyd_el6_i386 3ad6cd53dbfd86e4003a32bd23889349
lce_report_proxyd_el6_x86_64 4a759371025b7520bfb90b496bfe1e53
To install a patch
# /sbin/service lce_report_proxy stop
# cp --preserve /opt/lce/daemons/lce_report_proxyd /opt/lce/daemons/lce_report_proxyd_422
# cp ~/lce_report_proxyd__ /opt/lce/daemons/lce_report_proxyd
# chown root:root /opt/lce/daemons/lce_report_proxyd
# chmod 6750 /opt/lce/daemons/lce_report_proxyd
# /sbin/service lce_report_proxy start
Tenable Appliance
Tenable has made version 2.8.1 available which includes updated OpenSSL 1.0.1h files for the bundled SecurityCenter 4.8.1, PVS 4.0.3, Nessus 5.2.7, and corrected operating system binaries.
Please note that TNS-2014-14 also contains patch information relevant to this installation.
Vulmon