How to mitigate vulnerability CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 in Control-M/Agent?

NOTE:
Control-M/Agent processes are not exposed to the vulnerabilities.

The vulnerability has been found in one of the Control-M/Agent's toolbox options which is only used for troubleshooting purposes. It is not part of the Agent's main processes and therefore does not get executed if you do not run the toolbox utility manually. The vulnerable option is Control-M Toolbox -> Agent help Tools -> (3) System Monitoring.
This toolbox option does not start any service or open any port for external communication so it cannot be accessed by an external user. Only a user who is logged in to the system can access this toolbox utility and it cannot be triggered from outside of the system. This toolbox option is run for a very limited time according to the parameters given.
========================================================================================


Use one of the following three options to address this issue:

Option A: Use the attached scripts, and run directly on the Agent host to delete the vulnerable files  (Permanent solution)

Option B: Use Control-M Embedded Script type job(s) to delete the vulnerable files (Permanent solution)

Option C: Use Operating system commands to manually delete the vulnerable files (Permanent solution)

Option D: Run the BMC log4jScanner (Immediate mitigation) 
This option addresses CVE-2021-44228 and CVE-2021-45046 only. BMC recommends option A or B or C


Additional Information:
1) These options will not affect Agent functionality or the execution of jobs.

2) The scanning tool may flag the JNDIManager class as a vulnerability.  This is as false positive. According to Apache deleting JNDIManager class is not part of the vulnerability mitigation. 
Once the JNDILookup class has been deleted the vulnerability is removed.

3) Applies only to Option D:  When the ctmag-Log4jScanner is executed, every jar that is vulnerable is backed up in its directory with the suffix .bak. The product is not using jar files with the suffix .bak.  A static scan may issue a warning for the backup files as a CVE-2021-44228 security threat, even though the threat has been addressed. To prevent this warning, you can move the .bak files flagged in the report to a different location.  It is recommended that these files be preserved so the ability to roll back is available if required.

For release 9.0.21:

Control-M/Agent 9.0.21 <Control-M/Agent Home>/toolbox/Usage_Measurement.jar does not contain log4j-core files.
Therefore release 9.0.21 is not vulnerable.

Verify the Usage_Measurement.jar file has no log4j-core files with the following command:
Linux / Unix 

jar tvf $CONTROLM/toolbox/Usage_Measurement.jar | grep log4j-core

Windows

jar tvf %CONTROLM%\toolbox\Usage_Measurement.jar | findstr log4j-core

NOTE: If 9.0.21 was upgraded from a previous version and the below remediation steps were not performed, or the backed up vulnerable files were not removed, please refer to the section Deleting vulnerable files backed up by the upgrade procedure.

For release 9.0.20 and below: 

Option A: Use the attached scripts, and run directly on the Agent host to delete the vulnerable files  (Permanent solution)

• Download the rm_log4j.sh (Unix/Linux) or rm_log4j.bat (Windows) scripts from this article
• Unix/Linux
  • Copy the downloaded rm_log4j.sh to the $HOME directory of the Control-M/Agent user
  • Make the script executable with the command:  chmod +x rm_log4j.sh
  • Run the script from $HOME to remove the files:   ./rmlog4j.sh
• Windows
  • Copy the downloaded rm_log4j.bat to to the home directory of the Control-M/Agent (for example, "C:\Program Files\BMC Software\Control-M Agent\Default")
  • Open a command prompt as Administrator and navigate to the home directory
  • Run the script:  rm_log4j.bat 

Note:

• If the output does not list any files, no Usage_Measurement.jar files were deleted
• The script can be run multiple times with out issue.

Option B: Use Control-M Embedded Script type job(s) to delete the vulnerable files (Permanent solution)

Login to the Control-M Workload Automation Client
In the Planning domain, open a blank workspace
Drag a new OS job into the workspace
Change the what drop down to "Embedded Script"
In the Script text area add the following script:

#!/bin/sh

# Copyright 2021 BMC Software Inc.

id=`id | sed 's/uid=//' | sed 's/(.*//'`
if [ ${id} -eq 0 ] ; then
	echo "Run script from Agent account only."
	exit 1
fi

dirs="$HOME $CONTROLM"

for dir in ${dirs} ; do
	find $dir -name "Usage_Measurement.jar*" -exec \rm -f {} \; -print
done

echo "Done!"

Set the "File Name" to em_log4j.sh
Set the "Run As" as the account where the Control-M Agent is installed Login to the Control-M Workload Automation Client
In the Planning domain, open a blank workspace
Drag a new OS job into the workspace
Change the what drop down to "Embedded Script"
In the Script text area add the following script:

@echo off
rem Copyright 2021 BMC Software Inc.

set start_path=%1
if not [%start_path%] == [] cd %start_path%

del /s /f Usage_Measurement.jar* 2> nul
echo "Done!"

Set the "File Name" to em_log4j.bat
If the Control-M/Agent(s) parameter Logon As User is set to Y, set the "Run As" to a Run As user account defined for the Agent(s) that has permissions to delete files under the Agent install directory. If Logon As User is set to N, the job will run as the Control-M Agent service.
Option C: Use Operating system commands to manually delete the vulnerable files (Permanent solution)

Unix/Linux:
Login as the Control-M/Agent account
Navigate to the below directories to run the following command 

   <Agent home directory>/ctm/toolbox
   <Agent home directory>/BMCINSTALL/uninstal/<DRKAI.9.0.19.XXX/backup_area/ctm/toolbox/
   <Agent home directory>/BMCINSTALL/uninstal/<DRKAI.9.0.20.XXX/backup_area/ctm/toolbox/

For example:  

cd /home/ctmagent/ctm/toolbox  
or 
cd /home/BMCINSTALL/uninstal/DRKAI.9.0.20.000/backup_area/ctm/toolbox

Delete the Usage_Measurement.jar file with the following command:

rm -f Usage_Measurement.jar


Windows:

Open Windows Explorer
Navigate to the directories:

  <Agent home directory>\toolbox
  <Agent home directory>\BMCINSTALL\uninstall\DRKAI.9.0.19.XXX\backup_area\toolbox
  <Agent home directory>\BMCINSTALL\uninstall\DRKAI.9.0.20.XXX\backup_area\toolbox

For example:

C:\Program Files\BMC Software\Control-M Agent\Default\toolbox

C:\Program Files\BMC Software\Control-M Agent\Default\BMCINSTALL\uninstall\DRKAI.9.0.20.100\backup_area\toolbox

Delete the file Usage_Measurement.jar

Note: There is no need to restart Control-M Agent after deleting the Usage_Measurement.jar file.
Option D: Run the BMC log4jScanner (Immediate mitigation) 

Linux/Unix:

• Login as the Agent user
• It´s not required to shutdown the Control-M/Agent to apply these steps
• Download the Log4ShellApplicationsUnix.tar file attached to this article
• Extract the tar file with the command: tar -xvf Log4ShellApplicationsUnix.tar to a temporary folder
• Run the following command to scan for vulnerabilities:
  • ctmag-Log4jScanner.sh <Java home>  $CONTROLM > Log4jScannerOutput.txt
  • ctmag-Log4jScanner.sh <Java home>  $HOME/BMCINSTALL/uninstall/DRKAI*/backup_area  > Log4jScannerOutput2.txt

NOTE_ If the $HOME directory is a link, you should specify the physical path
NOTE - Java home path change between Control-M versions -

9.0.19 - $HOME/ctm/JRE
9.0.20 & 9.0.20.100 - $HOME/bmcjava/bmcjava-V2
9.0.20.200 - $HOME/bmcjava/bmcjava-V3

Log output example -

***** Start scanner in SCAN mode *****

target Path is : /home/ctmuser/ctm_agent/ctm
BMC Vulnerability Scanner
Scanning directory: /home/ctmuser/ctm_agent/ctm
Running scan (11s): scanned 332 directories, 1963 files, last visit: /home/ctmuser/ctm_agent/ctm/cm/AP/apweb-920000/webapps/dispatcher-920000/WEB-INF/spring
[*] Found CVE-2021-44228 vulnerability in /home/ctmuser/ctm_agent/ctm/toolbox/Usage_Measurement.jar, log4j 2.11.0

Scanned 394 directories and 2761 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 11.71 seconds

--------

***** Start scanner in SCAN mode *****

target Path is : /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area
BMC Vulnerability Scanner
Scanning directory: /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area
[*] Found CVE-2021-44228 vulnerability in /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area/ctm/toolbox/Usage_Measurement.jar, log4j 2.11.0

Scanned 10 directories and 107 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.06 seconds

NOTE - Following warning can be ignored -

Scan error: 'malformed input off : 60, length : 1' on file: XXXXXXXXXXXX

 

• Run the following command to mitigate any vulnerabilities found:
  • ctmag-Log4jScanner.sh <java home>  $CONTROLM --fix
  • ctmag-Log4jScanner.sh <java_home> $HOME/BMCINSTALL/uninstall/DRKAI*/backup_area --fix

The following question is displayed:
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]?
Please answer Y and press enter

Output examples:

ctmag-Log4jScanner.sh $HOME/bmcjava/bmcjava-V2  $CONTROLM --fix

***** Start scanner in --fix mode *****

target Path is : null
target Path is : /home/ctmuser/ctm_agent/ctm
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
BMC Vulnerability Scanner
Scanning directory: /home/ctmuser/ctm_agent/ctm
Running scan (8s): scanned 289 directories, 1793 files, last visit: /home/ctmuser/ctm_agent/ctm/cm/AP/apweb-920000/webapps/cmHadoop-920000/WEB-INF/spring
[*] Found CVE-2021-44228 vulnerability in /home/ctmuser/ctm_agent/ctm/toolbox/Usage_Measurement.jar, log4j 2.11.0 (mitigated)

Scanned 394 directories and 2762 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 1 mitigated files
Fixed 0 vulnerable files
Completed in 11.64 seconds


ctmag-Log4jScanner.sh $HOME/bmcjava/bmcjava-V2 $HOME/BMCINSTALL/uninstall/DRKAI*/backup_area --fix

***** Start scanner in --fix mode *****

target Path is : null
target Path is : /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
BMC Vulnerability Scanner
Scanning directory: /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area
[*] Found CVE-2021-44228 vulnerability in /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area/ctm/toolbox/Usage_Measurement.jar, log4j 2.11.0

Fixed: /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area/ctm/toolbox/Usage_Measurement.jar

Scanned 10 directories and 107 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Fixed 1 vulnerable files
Completed in 2.02 seconds
 

• Start the Agent using your standard steps

It´s highly recommended once completed the steps above, to scan $HOME with following command:

ctmag-Log4jScanner.sh <Java home>  $HOME 

NOTE: If running against a ONEINSTALL Control-M/Agent, the scan may flag Control-M/Server or Control-M/Enterprise Manager vulnerabilities that need to be mitigated, please refer to the knowledge article 
https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000391322

Windows:

• Login to the Control-M/Agent host
• Download the Log4ShellApplicationsWindows.zip file attached to this article
• Extract the zip file
• It´s not required to shutdown the Control-M/Agent to apply these steps
• Open a command prompt and navigate to the temporary directory
• Run the following command to scan for vulnerabilities (adjust the path as needed):
  • ctmag-Log4jScanner.bat "<java home>" "C:\Program Files\BMC Software\Control-M Agent" >  Log4jScannerOutput.txt
• NOTE - Java home path change between Control-M versions -
  
  9.0.19 - "C:\Program Files\BMC Software\Control-M Agent\Default\JRE
  9.0.20 & 9.0.20.100 - C:\Program Files\BMC Software\Control-M Common\bmcjava\bmcjava-V2
  9.0.20.200 - C:\Program Files\BMC Software\Control-M Common\bmcjava\bmcjava-V3

Output example - 

C:\tmp\Log4ShellApplicationsWin>ctmag-Log4jScanner.bat "C:\Program Files\BMC Software\Control-M Agent\Default\JRE" "C:\Program Files\BMC Software\Control-M Agent"
2
"***** Start scanner *****"
ECHO is off.
target Path is : C:\Program Files\BMC Software\Control-M Agent
BMC Vulnerability Scanner
Scanning directory: C:\Program Files\BMC Software\Control-M Agent
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Agent\Default\BMCINSTALL\uninstall\DRKAI.9.0.19.200\backup_area\toolbox\Usage_Measurement.jar, log4j 2.11.0
Running scan (10s): scanned 749 directories, 4656 files, last visit: C:\Program Files\BMC Software\Control-M Agent\Default\CM\AP\apweb-919000\webapps\dispatcher-919000\WEB-INF\spring
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Agent\Default\toolbox\Usage_Measurement.jar, log4j 2.11.0

Scanned 1350 directories and 9890 files
Found 2 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 11.47 seconds

• Run the following command to mitigate any vulnerabilities found (adjust the path as needed):
  • ctmag-Log4jScanner.bat "java home" "C:\Program Files\BMC Software\Control-M Agent"  --fix
• The following question is displayed:
  This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]?
  Please answer Y and press enter

Output example -

ctmag-Log4jScanner.bat "C:\Program Files\BMC Software\Control-M Agent\Default\JRE" "C:\Program Files\BMC Software\Control-M Agent"  --fix
3
"***** Start scanner *****"
ECHO is off.
target Path is : null
target Path is : C:\Program Files\BMC Software\Control-M Agent
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
BMC Vulnerability Scanner
Scanning directory: C:\Program Files\BMC Software\Control-M Agent
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Agent\Default\BMCINSTALL\uninstall\DRKAI.9.0.19.200\backup_area\toolbox\Usage_Measurement.jar, log4j 2.11.0
Running scan (8s): scanned 654 directories, 4233 files, last visit: C:\Program Files\BMC Software\Control-M Agent\Default\CM\AP\apweb-919000\webapps\cmAzure-919000\WEB-INF\spring
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Agent\Default\toolbox\Usage_Measurement.jar, log4j 2.11.0

Fixed: C:\Program Files\BMC Software\Control-M Agent\Default\BMCINSTALL\uninstall\DRKAI.9.0.19.200\backup_area\toolbox\Usage_Measurement.jar
Fixed: C:\Program Files\BMC Software\Control-M Agent\Default\toolbox\Usage_Measurement.jar

Scanned 1350 directories and 9890 files
Found 2 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Fixed 2 vulnerable files
Completed in 23.84 seconds


Linux/Unix rollback steps:

• Open the Log4jScannerOutput.txt or Log4jScannerOutput2.txt
• For each file that was updated:
  o    Go to the relevant directory
  o    Rename the updated jar according to the list by running the command:
  • mv <jar file> <jar file>.Log4Jupdate
•  Rename the backup jar to the original name:
  • mv <jar file>.bak <jar file>
• Windows rollback steps:
• Open the Log4jScannerOutput.txt or Log4jScannerOutput2.txt
• For each file that was updated:
  • Go to the relevant directory
  • Rename the updated jar according to the list and add a suffix with “.Log4Jupdate”
  • Rename the backup jar (.bak) to the original name

Deleting vulnerable files backed up by the upgrade procedure
If 9.0.21 was upgraded from a previous version and the above remediation steps were not performed, or the backed up vulnerable files were not removed after remediation, the vulnerable files will be backed up to the BMCINSTALL/uninstall/<product code> directory

When you are sure that roll back is no longer needed to restore the original files or to ensure that backed up files are not picked up by some a later security scan, delete the Usage_Measurement.jar file.