TrueSight Smart Reporting - Platform (TSSR-Platform) - How to mitigate Log4j vulnerabilities CVE-2021-44228 (Log4Shell) and CVE-2021-45046?

This article provides permanent mitigation for the following vulnerabilities: 

• CVE-2021-44228 (code named Log4Shell) on December 9th, 2021
• CVE-2021-45046 on December 14th, 2021

A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities.

Due to the severity of these vulnerabilities, you must apply the hotfix as soon as possible after it is released by BMC.

BMC has released the following Security Advisory about log4shell vulnerability. This Security Advisory will be updated regularly as additional information is available:
Security Advisory Page

This Knowledge Article is specific to how Log4Shell (CVE-2021-44228) and CVE-2021-45046 affect the TrueSight Smart Reporting - Platform (TSSR-Platform) product and how it can be mitigated.

Last Update Date/Time:  Friday 01/04/2021 2pm EST

1) Which versions of TSSR-Platform are vulnerable to CVE-2021-44228 (Log4Shell) and CVE-2021-45046?

• TSSR-Platform 20.02.02

Note: The following versions of TSSR-Platform use Log4j 1.x and are not vulnerable to CVE-2021-44228 and CVE-2021-45046:

• TSSR-Platform 20.02.01
• TSSR-Platform 20.02
• TSSR-Platform 19.X

2) Solution
Refer to the steps provided in the documentation link below to mitigate the vulnerabilities in TSSR-Platform 20.02.02:
https://docs.bmc.com/docs/tssr2002/mitigating-the-apache-log4j-vulnerabilities-cve-2021-44228-and-cve-2021-45046-1050916057.html

Note: The provided log4j module is 2.17.1. Therefore, also mitigates the possibility of having vulnerabilities CVE-2021-45105 and CVE-2021-44832.

Contact BMC Customer Support with any questions or issues.