How to mitigate vulnerability CVE-2021-44228 in Control-M SaaS?

Knowledge Article

How to mitigate vulnerability CVE-2021-44228 in Control-M SaaS?
Control-M SaaS
Control-M SaaS Agent
Control-M SaaS ; Control-M SaaS Agent version 9.0.20.080 and 9.0.20.180

Updated December 29, 2021

This article has been superseded, please reference knowledge article 000392052 for remediation steps.

How to mitigate vulnerability CVE-2021-44228 in Control-M SaaS?


Control-M SaaS Components


The following table lists the vulnerability status of components in Helix Control-M:

ComponentVulnerableImmediate Mitigation
Control-M SaaS Agent including all Plug-ins
Yes
See steps below

 

BMC has taken immediate actions on the platform to remediate the issue.
CVE-2021-44228
Linux:
  • Login as the Agent user
  • Shutdown the Control-M/Agent using your standard steps
  • Verify no Agent processes are running
  • Verify no jobs are running on the Agent
  • Download the Log4ShellApplicationsUnix.tar file from the following location into the Agent users home directory
  • Extract the tar file with the command: tar -xvf Log4ShellApplicationsUnix.tar
  • cd ctmag-Log4jScanner
  • Run the following command to scan for vulnerabilities:
    • ctmag-Log4jScanner.sh $HOME/bmcjava/bmcjava-V2  $CONTROLM > Log4jScannerOutput.txt
  • Run the following command to mitigate any vulnerabilities found:
    • ctmag-Log4jScanner.sh $HOME/bmcjava/bmcjava-V2  $CONTROLM --fix
The following question is displayed:
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]?
Please answer Y and press enter
  • Start the Agent using your standard steps
Windows:
  • Login to the Control-M/Agent host
  • Download the Log4ShellApplicationsWindows.zip file from the following location into a temporary directory
  • Extract the zip file
  • Stop the Control-M/Agent service
  • Verify no Agent processes are running
  • Verify no jobs are running
  • Open a command prompt and navigate to the temporary directory
  • Run the following command to scan for vulnerabilities (adjust the path as needed):
    • ctmag-Log4jScanner.bat "C:\Program Files\BMC Software\Control-M Common\bmcjava\bmcjava-V2\" "C:\Program Files\BMC Software\Control-M SaaS Agent\Default\" >  Log4jScannerOutput.txt
  • Run the following command to mitigate any vulnerabilities found (adjust the path as needed):
    • ctmag-Log4jScanner.bat "C:\Program Files\BMC Software\Control-M Common\bmcjava\bmcjava-V2\" "C:\Program Files\BMC Software\Control-M SaaS Agent\Default\" --fix
  • The following question is displayed:
    This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]?
    Please answer Y and press enter
  • Start the Agent using your standard steps
Linux rollback steps:
  • Shutdown the Control-M/Agent using your standard steps
  • Open the Log4jScannerOutput.txt
  • For each file that was updated:
    o    Go to the relevant directory
    o    Rename the updated jar according to the list by running the command:
    • mv <jar file> <jar file>.Log4Jupdate
  •  Rename the backup jar to the original name:
    • mv <jar file>.bak <jar file>
  • Start the Agent using your standard steps
Windows rollback steps:
  • Shutdown the Control-M/Agent using your standard steps
  • Open the Log4jScannerOutput.txt
  • For each file that was updated:
    • Go to the relevant directory
    • Rename the updated jar according to the list and add a suffix with “.Log4Jupdate”
    • Rename the backup jar (.bak) to the original name
  • Start the Agent using your standard steps
Control-M SaaS
Control-M SaaS Agent
Control-M SaaS ; Control-M SaaS Agent version 9.0.20.080 and 9.0.20.180
Control-M SaaS
Control-M SaaS Agent
Control-M SaaS ; Control-M SaaS Agent version 9.0.20.080 and 9.0.20.180
Attachment(s):