Tenable has created four archives and they correspond to the supported operating systems and architectures. Each archive contains an updated .so file and an install script that will upgrade OpenSSL to 1.0.1h, which is not affected.
To apply the appropriate patch, follow these steps:
- Download the appropriate patch to the system hosting SecurityCenter. Files are named OpenSSL-patch--.tgz. We recommend you put it in /tmp or its own folder.
- Untar the patch archive, for example: # tar zxf sc4.7.1-rh6-64.tgz
Run the install script: # ./install.sh
The archives are:
SecurityCenter 4.8.1 patches:
SecurityCenter 4.7.1 patches:
SecurityCenter 18.104.22.168 patches:
Note that the original patches included in this advisory have been deprecated in favor of a newer set of patches listed above that fixes additional issues covered in TNS-2014-04.
Which can be downloaded from:
SecurityCenter Download Page (https://support.tenable.com/support-center/index.php?x=&mod_id=160)
To patch the Tenable Appliance please download the file from:
Tenable Appliance Download Page (https://support.tenable.com/support-center/index.php?x=&mod_id=230)
To apply the patch update, navigate to the Administration tab. Then from the Update Appliance section, click on Choose file, browse to the location where the update file archive was saved, and click on "Apply Update".
Note that the original patch included in this advisory (SC-OpenSSL-patch.tar.gz [c33e5d2bafb5679103384688200dddd3]) has been deprecated in favor of a newer patch that fixes additional issues covered in TNS-2014-04.
If you also deploy Nessus, PVS, or LCE, note that those programs are not affected by this issue. Both Nessus and PVS have plugins that will detect this vulnerability.