How to remediate the Apache Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 within Control-M?

Knowledge Article

How to remediate the Apache Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 within Control-M?
Control-M/Enterprise Manager
Control-M/Enterprise Manager
Control-M distributed products ; version 9.0.18, 9.0.19, 9.0.20, 9.0.21
Control-M/Enterprise Manager
Control-M/Enterprise Manager
Control-M distributed products ; version 9.0.18, 9.0.19, 9.0.20, 9.0.21 
How to remediate the Apache Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 within Control-M?

Issues:
A zero-day exploit for the following vulnerabilities was publicly released: 

CVE-2021-44228 (code named Log4Shell) on December 9th, 2021
CVE-2021-45046 on December 14th, 2021
CVE-2021-45105 December 18th, 2021
Updated December 29, 2021

A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities.

Follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue.


Ensure you are subscribed to Proactive Notifications at bmc.com to be notified of future updates about this vulnerability.

Control-M products NOT affected:
Control-M Advanced File Transfer
Control-M Application Pack
Control-M Agents for Tandem, Unisys and AS/400
All INCONTROL for z/OS family of products
Control-D/WebAccess Server, Control-D Delivery Server, Control-D Agents
Control-M Conversion Tool
Control-M/Enterprise Manager Workload Automation client
Control-M/Enterprise Manager Control-M Configuration (CCM) client
Control-M Plug-ins (see last table below)

Control-M products AFFECTED:
See the following tables
 
9.0.21 Components
The following table lists the affected components in version 9.0.21:
ComponentVulnerableAdditional Information
Control-M/EM server
Control-M Add-ons
No
See 000392046 regarding information about backup files from previous versions
Control-M/ServerNoSee 000392048 regarding information about backup files from previous versions
Control-M/AgentNoSee 000391425 regarding information about backup files from previous versions
Control-M MFTNo
See 000392051 regarding information about backup files from previous versions
Control-M MFTE GatewayNo
See 000392051 regarding information about backup files from previous versions
Control-M Automation APINoSee 000392194 regarding information about backup files from previous versions

9.0.20 Components
The following table lists the affected components in version 9.0.20:
ComponentVulnerableLog4J2 Remediation
Control-M/EM server
Control-M Add-ons
Yes
See 000392046
Control-M/ServerYesSee 000392048
Control-M/AgentYesSee options A & B in 000391425 for remediation options
Control-M MFTYes
See 000392051
Control-M MFTE GatewayYes
See 000392051
Control-M Automation APIYesSee 000392194
 

9.0.19 Components

The following table lists the affected components in version 9.0.19:
ComponentVulnerableLog4J2 Remediation
Control-M/EM server
Control-M Add-ons
Yes
See 000392046
Control-M/ServerYesSee 000392048
Control-M/AgentYesSee options A & B in 000391425 for remediation options
Control-M MFTYes
See 000392051
Control-M MFTE GatewayYes
See 000392051
 

9.0.18 Components

The following table lists the affected components in version 9.0.18:
ComponentVulnerableLog4J2 Remediation
Control-M/EM server
Control-M Add-ons
Yes
See 000392046
Control-M/ServerYesSee 000392048
Control-M MFTYes
See 000392051
Control-M MFTE GatewayYesSee 000392051
Control-M/AgentNoVersion 9.0.18 Control-M/Agent is not affected
 

Control-M Plug-ins

The following table lists the plug-ins that are not affected by this vulnerability:
ComponentVulnerable
Control-M for Oracle RetailNo
Control-M for Oracle BI
 		No
Control-M for PeopleSoft
 		No
Control-M for SAP
 		No
Control-M for Oracle E-Business Suite
 		No
Control-M for Web Services, Java and Messaging
 		No
Control-M for CloudNo
Control-M for Cognos
 		No
Control-M for IBM InfoSphere DataStage
 		No
Control-M for SAP Business ObjectsNo
Control-M for AFTNo

Note: After remediation, when upgrading to a higher level Fix Pack or a Version (below 9.0.21), these same remediation steps need to be repeated. An upgrade to a higher release will overwrite the log4j remediated libraries and therefore the remediation procedure needs to be repeated.
 
Control-M/Enterprise Manager
Control-M/Enterprise Manager
Control-M distributed products ; version 9.0.18, 9.0.19, 9.0.20, 9.0.21
Attachment(s):