How to mitigate vulnerability CVE-2021-44228 in BMC Helix Control-M?

How to mitigate vulnerability CVE-2021-44228 in BMC Helix Control-M?

Knowledge Article

Article Number

000391398

Old Article Number

Article Type

Solutions to a Product Problem

Title

How to mitigate vulnerability CVE-2021-44228 in BMC Helix Control-M?

Summary

Product

BMC Helix Control-M

Component

Helix Control-M Agent

Applies to

BMC Helix Control-M ; Control-M SaaS Agent version 9.0.20.080 and 9.0.20.180

Problem

Updated December 29, 2021

This article has been superseded, please reference knowledge article 000392052 for remediation steps.

How to mitigate vulnerability CVE-2021-44228 in BMC Helix Control-M?

Helix Control-M Components

The following table lists the vulnerability status of components in Helix Control-M:

Component	Vulnerable	Immediate Mitigation
Helix Control-M/Agent including all Plug-ins	Yes	See steps below

BMC has taken immediate actions on the platform to remediate the issue.

Cause

CVE-2021-44228

Solution

Linux:

Login as the Agent user
Shutdown the Control-M/Agent using your standard steps
Verify no Agent processes are running
Verify no jobs are running on the Agent
Download the Log4ShellApplicationsUnix.tar file from the following location into the Agent users home directory
- https://bmc-ctm-saas-prod-agent-log4j.s3.us-west-2.amazonaws.com/Log4ShellApplicationsUnix.tar
Extract the tar file with the command: tar -xvf Log4ShellApplicationsUnix.tar
cd ctmag-Log4jScanner
Run the following command to scan for vulnerabilities:
- ctmag-Log4jScanner.sh $HOME/bmcjava/bmcjava-V2 $CONTROLM > Log4jScannerOutput.txt
Run the following command to mitigate any vulnerabilities found:
- ctmag-Log4jScanner.sh $HOME/bmcjava/bmcjava-V2 $CONTROLM --fix

The following question is displayed:
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]?
Please answer Y and press enter

Start the Agent using your standard steps

Windows:

Login to the Control-M/Agent host
Download the Log4ShellApplicationsWindows.zip file from the following location into a temporary directory
- https://bmc-ctm-saas-prod-agent-log4j.s3.us-west-2.amazonaws.com/Log4ShellApplicationsWin.zip
Extract the zip file
Stop the Control-M/Agent service
Verify no Agent processes are running
Verify no jobs are running
Open a command prompt and navigate to the temporary directory
Run the following command to scan for vulnerabilities (adjust the path as needed):
- ctmag-Log4jScanner.bat "C:\Program Files\BMC Software\Control-M Common\bmcjava\bmcjava-V2\" "C:\Program Files\BMC Software\Control-M SaaS Agent\Default\" > Log4jScannerOutput.txt
Run the following command to mitigate any vulnerabilities found (adjust the path as needed):
- ctmag-Log4jScanner.bat "C:\Program Files\BMC Software\Control-M Common\bmcjava\bmcjava-V2\" "C:\Program Files\BMC Software\Control-M SaaS Agent\Default\" --fix
The following question is displayed:
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]?
Please answer Y and press enter
Start the Agent using your standard steps

Linux rollback steps:

Shutdown the Control-M/Agent using your standard steps
Open the Log4jScannerOutput.txt
For each file that was updated:
o Go to the relevant directory
o Rename the updated jar according to the list by running the command:
- mv <jar file> <jar file>.Log4Jupdate
Rename the backup jar to the original name:
- mv <jar file>.bak <jar file>
Start the Agent using your standard steps

Windows rollback steps:

Shutdown the Control-M/Agent using your standard steps
Open the Log4jScannerOutput.txt
For each file that was updated:
- Go to the relevant directory
- Rename the updated jar according to the list and add a suffix with “.Log4Jupdate”
- Rename the backup jar (.bak) to the original name
Start the Agent using your standard steps

Attachment(s):