Tenable has updated the products to address this issue. Please see the product-specific instructions below:
Tenable has released version 5.2.7 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0m), which is not affected.
To update your Nessus installation, follow these steps:
- Download the appropriate installation file to the system hosting Nessus or Nessus Enterprise, available at the Tenable Support Portal (https://support.tenable.com/support-center/index.php?x=&mod_id=200)
- Stop the Nessus service.
- Install according to your operating system procedures.
- Restart the Nessus service.
Tenable has released a patch for all supported versions of SecurityCenter that addresses this vulnerability. The following patches apply OpenSSL 1.0.1h, which is not affected.:
The patch can be obtained from:
SecurityCenter 4.8.1 patches:
SecurityCenter 4.7.1 patches:
SecurityCenter 184.108.40.206 patches:
Note that the original patches included in this advisory have been deprecated in favor of a newer set of patches listed above that fixes additional issues covered in TNS-2014-04.
Tenable has released version 4.0.3 that corresponds to the supported operating systems and architectures. This version bundles the updated OpenSSL library (1.0.0m), which is not affected. Upgrade information can be found at:
The updated version of PVS can be obtained from:
Tenable has released a patch for lce_report_proxyd for 4.2.x versions of the Log Correlation Engine (LCE) that address this vulnerability (note that 4.0.2 is supported, but not vulnerable). This patch applies OpenSSL 1.0.0m, which is not affected. The patch can be obtained from:
To install a patch
# /sbin/service lce_report_proxy stop
# cp --preserve /opt/lce/daemons/lce_report_proxyd /opt/lce/daemons/lce_report_proxyd_422
# cp ~/lce_report_proxyd__ /opt/lce/daemons/lce_report_proxyd
# chown root:root /opt/lce/daemons/lce_report_proxyd
# chmod 6750 /opt/lce/daemons/lce_report_proxyd
# /sbin/service lce_report_proxy start
Tenable has made version 2.8.1 available which includes updated OpenSSL 1.0.1h files for the bundled SecurityCenter 4.8.1, PVS 4.0.3, Nessus 5.2.7, and corrected operating system binaries.
Please note that TNS-2014-14 also contains patch information relevant to this installation.