How to mitigate Log4j vulnerabilities CVE-2021-44228 (Log4Shell) and CVE-2021-45046 in TrueSight Smart Reporting - Operations Management (TSSR-Operations Management)? |
1) Which versions of TSSR-Operations Management are vulnerable to CVE-2021-44228 (Log4Shell) and CVE-2021-45046?
2) Solution : Refer to the steps provided in the documentation link below to mitigate the vulnerabilities in TSSR-Operations Management 11.3.02: https://docs.bmc.com/docs/pages/viewpage.action?pageId=1050915765 The EPD fix will resolve the vulnerability detected in<install_location>/appserver/webapps/ROOT/WEB-INF/lib. To fix the vulnerability detected in smartreporting.war need deploy the hotfix which is mentioned in below article https://community.bmc.com/s/article/TrueSight-Smart-Reporting-Operations-Management-Apache-Log4j-vulnerability-CVE-2021-44832-found-in-smartreporting-war-file The correct order to fix CVE-2021-44228 (Log4Shell) and CVE-2021-45046 vulnerabilities is to first apply EPD hotfix and then smartreporting.war file fix Note: The provided log4j module is 2.17.1. Therefore, also mitigates the possibility of having vulnerabilities CVE-2021-45105 and CVE-2021-44832. Contact BMC Customer Support with any questions or issues. A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities . Follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue. |