For release 9.0.21:
Control-M/Enterprise Manager is released with log4j version 2.17.1.
Therefore release 9.0.21 is not vulnerable.
Verify the version of the log4j with the following files:
Linux / Unix Example:
./ctm_em/archive/jars/dependency-jars/log4j-core-2.17.1.jar
./ctm_em/etc/emweb/tomcat/webapps/emThriftAPI/WEB-INF/lib/log4j-core-2.17.1.jar
./ctm_em/etc/emweb/tomcat/webapps/services-proxy/WEB-INF/lib/log4j-core-2.17.1.jar
./ctm_em/etc/emweb/tomcat/webapps/ClientSSO/WEB-INF/lib/log4j-core-2.17.1.jar
./ctm_em/etc/emweb/tomcat/webapps/ClientDeployServices/WEB-INF/lib/log4j-core-2.17.1.jar
./ctm_em/classes/log4j-core-2.17.1.jar
NOTE: If 9.0.21 was upgraded from a previous version and the below remediation steps were not performed, or the backed up vulnerable files were not removed, please refer to the section Deleting vulnerable files backed up by the upgrade procedure.
For release 9.0.20 and below:
For All Control-M/Enterprise Managers supported versions and related Fix Packs use the following steps.
After applying this solution, the Log4j v2 is upgraded to version 2.17.0, resolving the above-mentioned vulnerabilities.
The following process must be run on all distributed Control-M/Enterprise Manager environments, as well as on the primary and secondary nodes of High Availability installations.
Note: If Control-M Workflow Insights is later activated on the primary Control-M/Enterprise Manager and one or more secondary Insights installations, it is required to re-run the below Log4j scan and remediation steps on the primary EM and secondary hosts, even if it was run previously.
Note: When the EM_XXXXXX_Remediate_Log4J is executed, every jar that contains a vulnerable version of Log4j v2 is backed up in it's directory with the suffix ".bak" and upgraded to Log4j 2.17.0.
The utility can be executed as many times as required to confirm the vulnerabilities are fixed.
Unix / Linux:
- Log in as the Control-M/Enterprise Manager account
- Download the EM_And_Server_Remediate_Log4J.tar file attached to this article, into the EM user home directory.
- Extract the tar file with the command: tar -xvf EM_And_Server_Remediate_Log4J.tar
- cd EM_And_Server_Remediate_Log4J
- Stop Enterprise Manager processes by running the following commands:
em ctl -mcs -C Config_Agent -all -cmd shutdown
stop_config_agent
em sca shutdown -f ( versions 9.0.19 and 9.0.20 ONLY)
- Run the following commands to scan for vulnerabilities:
em EM_Unix_Remediate_Log4J $HOME/ctm_em >> Log4jScannerOutput.txt
em EM_Unix_Remediate_Log4J $HOME/BMCINSTALL >> Log4jScannerBMCINSTALLOutput.txt
Output example from Log4jScannerOutput.txt -
target Path is: /home/emuser
BMC Vulnerability Scanner
Scanning directory: /home/emuser
[*] Found CVE-2021-44228 vulnerability in /home/emuser/ctm_em/etc/bim/mticket/log4j-core-2.11.2.jar, log4j 2.11.2
...
Scanned XXXX directories and XXXXX files
Found XX vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 66.32 seconds
Note:
1. The following warning can be ignored:
Skipping broken jar file XXXXXXXX.zip ('MALFORMED')
2. If the scanned result is 0 directories and 0 files, check if the $HOME is resolved with a symbolic link path, otherwise use the absolute path.
- Run the following commands to replace any vulnerabilities found:
em EM_Unix_Remediate_Log4J --replace $HOME/ctm_em
em EM_Unix_Remediate_Log4J --replace $HOME/BMCINSTALL
- The following question is displayed:
- This command will replace log4j2 binaries to a newer version. Are you sure [y/N]
- Press Y and press enter
NOTE: In order to run it in noninteractive mode use --force flag.
i.e. run:
em EM_Unix_Remediate_Log4J --replace --force $HOME/ctm_em
Review the Output summary received and make sure the vulnerable files were fixed
Output example -
Scanned XXXX directories and XXXXX files
Found X vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Replaced X files
Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impacts the Replaced number of files
Note: For AIX if the following error appears apply the next steps:
Error: Cannot fix file (Java heap space). rollback original file
<EM home directory>/services/classes/controlm-web.war
Run the command: cd <EM home directory>/services/classes/
Run the command: rm -rf controlm-web.war.bak
Note: Run the scanner again to verify the vulnerabilities are fixed
- Start Enterprise Manager by running the command: start_all
Windows:
- Login on the Control-M/Enterprise Manager host
- Download the EM_And_Server_Windows_Remediate_Log4J.zip file attached to this article, into a temporary directory.
- Extract the file into the temporary directory.
- Open a command prompt as administrator and navigate to the C:\Program Files\BMC Software\Control-M EM\Default\bin directory
- Stop Enterprise Manager processes by running the following commands:
- Run the command: ctl -mcs -C Config_Agent -all -cmd shutdown
- Run the command: emsca shutdown -f ( versions 9.0.19 and 9.0.20 ONLY)
- Stop the Control-M/Enterprise Manager Configuration Agent service (if not already stopped)
- Navigate to the temporary directory where you extracted the EM_And_Server_Windows_Remediate_Log4J.zip
- Run the following command to scan for vulnerabilities:
EM_Windows_Remediate_Log4J "%EM_HOME%" >> Log4jScannerOutput.txt
Output example from Log4jScannerOutput.txt -
Scanning directory: C:\Program Files\BMC Software\Control-M EM\Default
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M EM\Default\bim\mticket\log4j-core-2.11.2.jar, log4j 2.11.2
...
Scanned XXXXX directories and XXXXXX files
Found XX vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 198.67 seconds
- Run the following command to replace any vulnerabilities found:
EM_Windows_Remediate_Log4J --replace "%EM_HOME%"
- The following question is displayed:
- This command will replace log4j2 binaries to a newer version. Are you sure [y/N]?
- Answer Y and press enter
NOTE: In order to run it in noninteractive mode use --force flag.
i.e. run:
EM_Windows_Remediate_Log4J --replace --force "%EM_HOME%"
Review the Output summary received and make sure the vulnerable files were fixed
Output example -
Scanned XXXX directories and XXXX files
Found X vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Replaced X files
Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impact in the Replaces number files
Note: Run the scanner again to verify the vulnerabilities are fixed
Start the Control-M/Enterprise Manager Configuration Agent service
Unix / Linux rollback steps:
- If the log4j-api and log4j-slf files were updated, include them in the following rollback steps
- Stop Enterprise Manager with the same steps from above
- Open the Log4jScannerOutput.txt in the log4jScanner directory
- For each file that was updated:
• Go to the relevant directory
• Rename the updated jar according to the list by running the command:
mv <jar file> <jar file>.Log4Jupdate
• Rename the backup jar to the original name:
mv <jar file>.bak <jar file>
- Start Enterprise Manager by running the command: start_all
Windows rollback steps:
- If the log4j-api and log4j-slf files were updated, include them in the following rollback steps.
- Stop the Control-M/Enterprise Manager Configuration Agent service
- Open the Log4jScannerOutput.txt found in the temporary directory where the patch was downloaded
- For each file that was updated:
• Go to the relevant directory
• Rename the updated jar according to the list and add a suffix with: .Log4Jupdate
• Rename the backup jar (.bak) to the original name
- Start the Control-M/Enterprise Manager Configuration Agent service
Deleting vulnerable files backed up by the remediation procedure and upgrade procedure
After applying the security vulnerability remediation procedure above, the original vulnerability files are kept on the disk with a ".bak" extension in case there is a need to roll back.
When you are sure that rollback is no longer needed to restore the original files or to ensure that backed-up files are not picked up by some a later security scan, use one of the following procedures to hide the files from being detected:
1. Password compress the backed-up files. The list of backed-up files can be found in the Uninstall rollback procedure above.
2. Move the files to a safe location where the security scan will not detect them.
Deleting vulnerable files backed up by the upgrade procedure
If 9.0.21 was upgraded from a previous version and the above remediation steps were not performed, or the backed-up vulnerable files were not removed after remediation, the vulnerable files will be backed up to the BMCINSTALL/uninstall/<product code> directory
When you are sure that rollback is no longer needed to restore the original files or to ensure that backed-up files are not picked up by some a later security scan, use one of the following procedures to hide the files from being detected:
1. Password compress the backed-up files. The list of backed-up files can be found in the Uninstall rollback procedure above.
2. Move the files to a safe location where the security scan will not detect them.