Enterprise IT vendors are rushing to protect users from the Heartbleed bug, which has been found in some servers and networking gear and could allow attackers to steal critical data -- including passwords and encryption keys -- from the memories of exposed systems.
Hewlett-Packard, Dell, and IBM have set up pages that identify hardware and software products affected by Heartbleed, which exposes a critical defect in certain versions of OpenSSL, a software library for secure communication over the Internet and networks.
[ Also on InfoWorld: Users, admins, developers: Here's what to do about Heartbleed | Get the latest practical info and news with Paul Venezia's The Deep End blog and InfoWorld's Data Center newsletter. ]
The bug, which was detailed last week, has already been patched in a new version of OpenSSL, but hardware companies are now racing to patch products relying on older versions. Firmware and software patches have been issued for HP's BladeSystems and IBM's AIX servers and also Dell's appliances and networking equipment. In advisories, the server makers have advised customers to investigate hypervisors, OSes and middleware for possible vulnerabilities.
Some HP servers use OpenSSL for encryption and secure communication, and the company is conducting an "aggressive and comprehensive review of all actively supported products" for exposure to the Heartbleed bug, an HP support page said. The security updates are available for free to all customers, an HP spokesman said in an email on Monday.
HP on Sunday issued patches for some versions of server management tools BladeSystem c-Class Onboard Administrator, Smart Update Manager and the System Management Homepage running OpenSSL on Linux and Windows.
HP last week said it had not yet identified networking equipment affected by Heartbleed, but would continue investigating products.