How to remediate the Apache Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 within Control-M? Issues: A zero-day exploit for the following vulnerabilities was publicly released: CVE-2021-44228 (code named Log4Shell) on December 9th, 2021 CVE-2021-45046 on December 14th, 2021 CVE-2021-45105 December 18th, 2021
Updated December 29, 2021
A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities.
Follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue.
Ensure you are subscribed to Proactive Notifications at bmc.com to be notified of future updates about this vulnerability.
Control-M products NOT affected:
Control-M Advanced File Transfer
Control-M Application Pack
Control-M Agents for Tandem, Unisys and AS/400
All INCONTROL for z/OS family of products
Control-D/WebAccess Server, Control-D Delivery Server, Control-D Agents
Control-M Conversion Tool
Control-M/Enterprise Manager Workload Automation client
Control-M/Enterprise Manager Control-M Configuration (CCM) client
Control-M Plug-ins (see last table below)
Control-M products AFFECTED:
See the following tables
The following table lists the affected components in version 9.0.21:
The following table lists the affected components in version 9.0.20:
9.0.19 ComponentsThe following table lists the affected components in version 9.0.19:
9.0.18 ComponentsThe following table lists the affected components in version 9.0.18:
Control-M Plug-insThe following table lists the plug-ins that are not affected by this vulnerability:
Note: After remediation, when upgrading to a higher level Fix Pack or a Version (below 9.0.21), these same remediation steps need to be repeated. An upgrade to a higher release will overwrite the log4j remediated libraries and therefore the remediation procedure needs to be repeated.