For release 9.0.21:
Control-M/Agent 9.0.21 <Control-M/Agent Home>/toolbox/Usage_Measurement.jar does not contain log4j-core files.
Therefore release 9.0.21 is not vulnerable.
Verify the Usage_Measurement.jar file has no log4j-core files with the following command:
Linux / Unix
jar tvf $CONTROLM/toolbox/Usage_Measurement.jar | grep log4j-core
Windows
jar tvf %CONTROLM%\toolbox\Usage_Measurement.jar | findstr log4j-core
NOTE: If 9.0.21 was upgraded from a previous version and the below remediation steps were not performed, or the backed up vulnerable files were not removed, please refer to the section Deleting vulnerable files backed up by the upgrade procedure.
For release 9.0.20 and below:
Option A: Use the attached scripts, and run directly on the Agent host to delete the vulnerable files (Permanent solution)
- Download the rm_log4j.sh (Unix/Linux) or rm_log4j.bat (Windows) scripts from this article
- Unix/Linux
- Copy the downloaded rm_log4j.sh to the $HOME directory of the Control-M/Agent user
- Make the script executable with the command: chmod +x rm_log4j.sh
- Run the script from $HOME to remove the files: ./rmlog4j.sh
- Windows
- Copy the downloaded rm_log4j.bat to to the home directory of the Control-M/Agent (for example, "C:\Program Files\BMC Software\Control-M Agent\Default")
- Open a command prompt as Administrator and navigate to the home directory
- Run the script: rm_log4j.bat
Note:
- If the output does not list any files, no Usage_Measurement.jar files were deleted
- The script can be run multiple times with out issue.
Option B: Use Control-M Embedded Script type job(s) to delete the vulnerable files (Permanent solution)Login to the Control-M Workload Automation Client
In the Planning domain, open a blank workspace
Drag a new OS job into the workspace
Change the what drop down to "Embedded Script"
In the Script text area add the following script:
#!/bin/sh
# Copyright 2021 BMC Software Inc.
id=`id | sed 's/uid=//' | sed 's/(.*//'`
if [ ${id} -eq 0 ] ; then
echo "Run script from Agent account only."
exit 1
fi
dirs="$HOME $CONTROLM"
for dir in ${dirs} ; do
find $dir -name "Usage_Measurement.jar*" -exec \rm -f {} \; -print
done
echo "Done!"
Set the "File Name" to em_log4j.sh
Set the "Run As" as the account where the Control-M Agent is installed
Note: multiple copies of this job maybe be required if Control-M/Agents on Unix/Linux platforms are installed under different usernames
Set the "Host/Host Group" as required
Note: The job can be scheduled against a hostgroup using the "Run job on all hosts in group" option if all agents in the host groups are installed using the same username to reduce the number jobs that must be defined
Set all other parameters as required by your organizational policies
Order the job(s)
The output of the job lists the files that were detected and removed. See the example output below:
++ sed 's/(.*//'
++ sed s/uid=//
++ id
+ id=1001
+ '[' 1001 -eq 0 ']'
+ dirs='/home/controlm /home/controlm/ctm_agent/ctm'
+ for dir in '${dirs}'
+ find /home/controlm -name 'Usage_Measurement.jar*' -exec rm -f '{}' ';' -print
/home/controlm/BMCINSTALL/uninstall/DRKAI.9.0.20.100/backup_area/ctm/toolbox/Usage_Measurement.jar
/home/controlm/ctm_agent/ctm/toolbox/Usage_Measurement.jar
+ for dir in '${dirs}'
+ find /home/controlm/ctm_agent/ctm -name 'Usage_Measurement.jar*' -exec rm -f '{}' ';' -print
+ echo 'Done!'
Done!
Note:
- If the output does not list any files, no Usage_Measurement.jar files were deleted
- The script can be run multiple times with out issue.
Windows:
Login to the Control-M Workload Automation Client
In the Planning domain, open a blank workspace
Drag a new OS job into the workspace
Change the what drop down to "Embedded Script"
In the Script text area add the following script:
@echo off
rem Copyright 2021 BMC Software Inc.
set start_path=%1
if not [%start_path%] == [] cd %start_path%
del /s /f Usage_Measurement.jar* 2> nul
echo "Done!"
Set the "File Name" to em_log4j.bat
If the Control-M/Agent(s) parameter Logon As User is set to Y, set the "Run As" to a Run As user account defined for the Agent(s) that has permissions to delete files under the Agent install directory. If Logon As User is set to N, the job will run as the Control-M Agent service.
Note: multiple copies of this job maybe be required if Control-M/Agents on Windows platforms are require different run as users
Set the "Host/Host Group" as required
Note: The job can be scheduled against a hostgroup using the "Run job on all hosts in group" option if all agents in the host groups are able to run with the same run as user
Set all other parameters as required by your organizational policies
Order the job(s)
The output of the job lists the files that were detected and removed. See the example output below:
Deleted file - C:\Program Files\BMC Software\Control-M Agent\Default\toolbox\Usage_Measurement.jar
"Done!"
Note:
- If the output does not list any files, no Usage_Measurement.jar files were deleted
- The script can be run multiple times with out issue.
Option C: Use Operating system commands to manually delete the vulnerable files (Permanent solution)Unix/Linux:Login as the Control-M/Agent account
Navigate to the below directories to run the following command
<Agent home directory>/ctm/toolbox
<Agent home directory>/BMCINSTALL/uninstal/<DRKAI.9.0.19.XXX/backup_area/ctm/toolbox/
<Agent home directory>/BMCINSTALL/uninstal/<DRKAI.9.0.20.XXX/backup_area/ctm/toolbox/
For example:
cd /home/ctmagent/ctm/toolbox
or
cd /home/BMCINSTALL/uninstal/DRKAI.9.0.20.000/backup_area/ctm/toolbox
Delete the Usage_Measurement.jar file with the following command:
rm -f Usage_Measurement.jar
Windows:Open Windows Explorer
Navigate to the directories:
<Agent home directory>\toolbox
<Agent home directory>\BMCINSTALL\uninstall\DRKAI.9.0.19.XXX\backup_area\toolbox
<Agent home directory>\BMCINSTALL\uninstall\DRKAI.9.0.20.XXX\backup_area\toolbox
For example:
C:\Program Files\BMC Software\Control-M Agent\Default\toolbox
C:\Program Files\BMC Software\Control-M Agent\Default\BMCINSTALL\uninstall\DRKAI.9.0.20.100\backup_area\toolbox
Delete the file Usage_Measurement.jar
Note: There is no need to restart Control-M Agent after deleting the Usage_Measurement.jar file.
Option D: Run the BMC log4jScanner (Immediate mitigation) Linux/Unix:
- Login as the Agent user
- It´s not required to shutdown the Control-M/Agent to apply these steps
- Download the Log4ShellApplicationsUnix.tar file attached to this article
- Extract the tar file with the command: tar -xvf Log4ShellApplicationsUnix.tar to a temporary folder
- Run the following command to scan for vulnerabilities:
- ctmag-Log4jScanner.sh <Java home> $CONTROLM > Log4jScannerOutput.txt
- ctmag-Log4jScanner.sh <Java home> $HOME/BMCINSTALL/uninstall/DRKAI*/backup_area > Log4jScannerOutput2.txt
NOTE_ If the $HOME directory is a link, you should specify the physical pathNOTE - Java home path change between Control-M versions -9.0.19 - $HOME/ctm/JRE
9.0.20 & 9.0.20.100 - $HOME/bmcjava/bmcjava-V2
9.0.20.200 - $HOME/bmcjava/bmcjava-V3
Log output example -
***** Start scanner in SCAN mode *****
target Path is : /home/ctmuser/ctm_agent/ctm
BMC Vulnerability Scanner
Scanning directory: /home/ctmuser/ctm_agent/ctm
Running scan (11s): scanned 332 directories, 1963 files, last visit: /home/ctmuser/ctm_agent/ctm/cm/AP/apweb-920000/webapps/dispatcher-920000/WEB-INF/spring
[*] Found CVE-2021-44228 vulnerability in /home/ctmuser/ctm_agent/ctm/toolbox/Usage_Measurement.jar, log4j 2.11.0
Scanned 394 directories and 2761 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 11.71 seconds
--------
***** Start scanner in SCAN mode *****
target Path is : /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area
BMC Vulnerability Scanner
Scanning directory: /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area
[*] Found CVE-2021-44228 vulnerability in /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area/ctm/toolbox/Usage_Measurement.jar, log4j 2.11.0
Scanned 10 directories and 107 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 0.06 seconds
NOTE - Following warning can be ignored -
Scan error: 'malformed input off : 60, length : 1' on file: XXXXXXXXXXXX
- Run the following command to mitigate any vulnerabilities found:
- ctmag-Log4jScanner.sh <java home> $CONTROLM --fix
- ctmag-Log4jScanner.sh <java_home> $HOME/BMCINSTALL/uninstall/DRKAI*/backup_area --fix
The following question is displayed:
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]?
Please answer Y and press enter
Output examples:
ctmag-Log4jScanner.sh $HOME/bmcjava/bmcjava-V2 $CONTROLM --fix
***** Start scanner in --fix mode *****
target Path is : null
target Path is : /home/ctmuser/ctm_agent/ctm
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
BMC Vulnerability Scanner
Scanning directory: /home/ctmuser/ctm_agent/ctm
Running scan (8s): scanned 289 directories, 1793 files, last visit: /home/ctmuser/ctm_agent/ctm/cm/AP/apweb-920000/webapps/cmHadoop-920000/WEB-INF/spring
[*] Found CVE-2021-44228 vulnerability in /home/ctmuser/ctm_agent/ctm/toolbox/Usage_Measurement.jar, log4j 2.11.0 (mitigated)
Scanned 394 directories and 2762 files
Found 0 vulnerable files
Found 0 potentially vulnerable files
Found 1 mitigated files
Fixed 0 vulnerable files
Completed in 11.64 seconds
ctmag-Log4jScanner.sh $HOME/bmcjava/bmcjava-V2 $HOME/BMCINSTALL/uninstall/DRKAI*/backup_area --fix
***** Start scanner in --fix mode *****
target Path is : null
target Path is : /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
BMC Vulnerability Scanner
Scanning directory: /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area
[*] Found CVE-2021-44228 vulnerability in /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area/ctm/toolbox/Usage_Measurement.jar, log4j 2.11.0
Fixed: /home/ctmuser/BMCINSTALL/uninstall/DRKAI.9.0.20.000/backup_area/ctm/toolbox/Usage_Measurement.jar
Scanned 10 directories and 107 files
Found 1 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Fixed 1 vulnerable files
Completed in 2.02 seconds
- Start the Agent using your standard steps
It´s highly recommended once completed the steps above, to scan $HOME with following command:
ctmag-Log4jScanner.sh
<Java home> $HOME
NOTE: If running against a ONEINSTALL Control-M/Agent, the scan may flag Control-M/Server or Control-M/Enterprise Manager vulnerabilities that need to be mitigated, please refer to the knowledge article
https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=000391322Windows:
- Login to the Control-M/Agent host
- Download the Log4ShellApplicationsWindows.zip file attached to this article
- Extract the zip file
- It´s not required to shutdown the Control-M/Agent to apply these steps
- Open a command prompt and navigate to the temporary directory
- Run the following command to scan for vulnerabilities (adjust the path as needed):
- ctmag-Log4jScanner.bat "<java home>" "C:\Program Files\BMC Software\Control-M Agent" > Log4jScannerOutput.txt
- NOTE - Java home path change between Control-M versions -
9.0.19 - "C:\Program Files\BMC Software\Control-M Agent\Default\JRE
9.0.20 & 9.0.20.100 - C:\Program Files\BMC Software\Control-M Common\bmcjava\bmcjava-V2
9.0.20.200 - C:\Program Files\BMC Software\Control-M Common\bmcjava\bmcjava-V3
Output example -
C:\tmp\Log4ShellApplicationsWin>ctmag-Log4jScanner.bat "C:\Program Files\BMC Software\Control-M Agent\Default\JRE" "C:\Program Files\BMC Software\Control-M Agent"
2
"***** Start scanner *****"
ECHO is off.
target Path is : C:\Program Files\BMC Software\Control-M Agent
BMC Vulnerability Scanner
Scanning directory: C:\Program Files\BMC Software\Control-M Agent
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Agent\Default\BMCINSTALL\uninstall\DRKAI.9.0.19.200\backup_area\toolbox\Usage_Measurement.jar, log4j 2.11.0
Running scan (10s): scanned 749 directories, 4656 files, last visit: C:\Program Files\BMC Software\Control-M Agent\Default\CM\AP\apweb-919000\webapps\dispatcher-919000\WEB-INF\spring
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Agent\Default\toolbox\Usage_Measurement.jar, log4j 2.11.0
Scanned 1350 directories and 9890 files
Found 2 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 11.47 seconds
- Run the following command to mitigate any vulnerabilities found (adjust the path as needed):
- ctmag-Log4jScanner.bat "java home" "C:\Program Files\BMC Software\Control-M Agent" --fix
- The following question is displayed:
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]?
Please answer Y and press enter
Output example -
ctmag-Log4jScanner.bat "C:\Program Files\BMC Software\Control-M Agent\Default\JRE" "C:\Program Files\BMC Software\Control-M Agent" --fix
3
"***** Start scanner *****"
ECHO is off.
target Path is : null
target Path is : C:\Program Files\BMC Software\Control-M Agent
This command will remove JndiLookup.class from log4j2-core binaries. Are you sure [y/N]? y
BMC Vulnerability Scanner
Scanning directory: C:\Program Files\BMC Software\Control-M Agent
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Agent\Default\BMCINSTALL\uninstall\DRKAI.9.0.19.200\backup_area\toolbox\Usage_Measurement.jar, log4j 2.11.0
Running scan (8s): scanned 654 directories, 4233 files, last visit: C:\Program Files\BMC Software\Control-M Agent\Default\CM\AP\apweb-919000\webapps\cmAzure-919000\WEB-INF\spring
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Agent\Default\toolbox\Usage_Measurement.jar, log4j 2.11.0
Fixed: C:\Program Files\BMC Software\Control-M Agent\Default\BMCINSTALL\uninstall\DRKAI.9.0.19.200\backup_area\toolbox\Usage_Measurement.jar
Fixed: C:\Program Files\BMC Software\Control-M Agent\Default\toolbox\Usage_Measurement.jar
Scanned 1350 directories and 9890 files
Found 2 vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Fixed 2 vulnerable files
Completed in 23.84 seconds
Linux/Unix rollback steps:
- Open the Log4jScannerOutput.txt or Log4jScannerOutput2.txt
- For each file that was updated:
o Go to the relevant directory
o Rename the updated jar according to the list by running the command:
- mv <jar file> <jar file>.Log4Jupdate
- Rename the backup jar to the original name:
- mv <jar file>.bak <jar file>
- Windows rollback steps:
- Open the Log4jScannerOutput.txt or Log4jScannerOutput2.txt
- For each file that was updated:
- Go to the relevant directory
- Rename the updated jar according to the list and add a suffix with “.Log4Jupdate”
- Rename the backup jar (.bak) to the original name
Deleting vulnerable files backed up by the upgrade procedureIf 9.0.21 was upgraded from a previous version and the above remediation steps were not performed, or the backed up vulnerable files were not removed after remediation, the vulnerable files will be backed up to the BMCINSTALL/uninstall/<product code> directory
When you are sure that roll back is no longer needed to restore the original files or to ensure that backed up files are not picked up by some a later security scan, delete the Usage_Measurement.jar file.