How to remediate the Apache Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 within Control-M? Issues: A zero-day exploit for the following vulnerabilities was publicly released: CVE-2021-44228 (code named Log4Shell) on December 9th, 2021 CVE-2021-45046 on December 14th, 2021 CVE-2021-45105 December 18th, 2021 |
Updated December 29, 2021
A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities. Follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue. Ensure you are subscribed to Proactive Notifications at bmc.com to be notified of future updates about this vulnerability. Control-M products NOT affected: Control-M Advanced File Transfer Control-M Application Pack Control-M Agents for Tandem, Unisys and AS/400 All INCONTROL for z/OS family of products Control-D/WebAccess Server, Control-D Delivery Server, Control-D Agents Control-M Conversion Tool Control-M/Enterprise Manager Workload Automation client Control-M/Enterprise Manager Control-M Configuration (CCM) client Control-M Plug-ins (see last table below) Control-M products AFFECTED: See the following tables 9.0.21 Components
The following table lists the affected components in version 9.0.21:
9.0.20 Components The following table lists the affected components in version 9.0.20:
9.0.19 ComponentsThe following table lists the affected components in version 9.0.19:
9.0.18 ComponentsThe following table lists the affected components in version 9.0.18:
Control-M Plug-insThe following table lists the plug-ins that are not affected by this vulnerability:
Note: After remediation, when upgrading to a higher level Fix Pack or a Version (below 9.0.21), these same remediation steps need to be repeated. An upgrade to a higher release will overwrite the log4j remediated libraries and therefore the remediation procedure needs to be repeated. |