How to remediate vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105   in Control-M/Enterprise Manager and Control-M Workflow Insights?

A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities.

Follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue.

For release 9.0.21:

For release 9.0.20 and below: 

For All Control-M/Enterprise Managers supported versions and related Fix Packs use the following steps.

After applying this solution, the Log4j v2 is upgraded to version 2.17.0, resolving the above mentioned vulnerabilities.

The following process must be run on all distributed Control-M/Enterprise Manager environments, as well as on the primary and secondary nodes of High Availability installations.

Note: If Control-M Workflow Insights is later activated on the primary Control-M/Enterprise Manager and one or more secondary Insights installations, it is required to re-run the below Log4j scan and remediation steps on the primary EM and secondary hosts, even if it was run previously.

Note: When the EM_XXXXXX_Remediate_Log4J is executed, every jar that contains a vulnerable version of Log4j v2 is backed up in it's directory with the suffix ".bak" and upgraded to Log4j 2.17.0.

The utility can be executed as many times as required to confirm the vulnerabilities are fixed.



Unix / Linux:

• Login as the Control-M/Enterprise Manager account
• Download the EM_And_Server_Remediate_Log4J.tar file attached to this article, into the EM user home directory.
• Extract the tar file with the command:  tar -xvf EM_And_Server_Remediate_Log4J.tar
• cd EM_And_Server_Remediate_Log4J
• Stop Enterprise Manager processes by running the following commands:

                em ctl -mcs -C Config_Agent -all -cmd shutdown
                stop_config_agent
                em sca shutdown -f ( versions 9.0.19 and 9.0.20 ONLY)

• Run the following commands to scan for vulnerabilities: 

                em EM_Unix_Remediate_Log4J  $HOME/ctm_em >> Log4jScannerOutput.txt
                em EM_Unix_Remediate_Log4J  $HOME/BMCINSTALL >> Log4jScannerBMCINSTALLOutput.txt

Output example  from Log4jScannerOutput.txt -


target Path is : /home/emuser
BMC Vulnerability Scanner
Scanning directory: /home/emuser
[*] Found CVE-2021-44228 vulnerability in /home/emuser/ctm_em/etc/bim/mticket/log4j-core-2.11.2.jar, log4j 2.11.2
...

Scanned XXXX directories and XXXXX files
Found XX vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 66.32 seconds

Note:
1. Following warning can be ignored:
Skipping broken jar file XXXXXXXX.zip ('MALFORMED')
2. If the scanned result is 0 directories and 0 files, check if the $HOME is resolved with a symbolic link path, otherwise use the absolute path.
 

• Run the following commands to replace any vulnerabilities found: 

                em EM_Unix_Remediate_Log4J --replace  $HOME/ctm_em
                em EM_Unix_Remediate_Log4J --replace  $HOME/BMCINSTALL

• The following question is displayed:
• This command will replace log4j2 binaries to a newer version. Are you sure [y/N] 
• Press Y and press enter

NOTE: In order to run it in noninteractive mode use  --force flag.
i.e. run:

em EM_Unix_Remediate_Log4J --replace --force $HOME/ctm_em

Review the Output summary received and make sure the vulnerable files were fixed


Output example -


Scanned XXXX directories and XXXXX  files
Found X vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Replaced X files

Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impact the Replaced number files 


Note: For AIX if the following error appears apply next steps:

Error: Cannot fix file (Java heap space). rollback original file
<EM home directory>/services/classes/controlm-web.war
Run the command:  cd <EM home directory>/services/classes/
Run the command:  rm -rf controlm-web.war.bak


Note: Run the scanner again to verify the vulnerabilities are fixed
 

• Start Enterprise Manager by running the command: start_all

Windows:
 

• Login on the Control-M/Enterprise Manager host
• Download the EM_And_Server_Windows_Remediate_Log4J.zip file attached to this article, into a temporary directory.
• Extract the file into the temporary directory.
• Open a command prompt as administrator and navigate to the  C:\Program Files\BMC Software\Control-M EM\Default\bin  directory
• Stop Enterprise Manager processes by running the following commands:
  • Run the command: ctl -mcs -C Config_Agent -all -cmd shutdown
  • Run the command: emsca shutdown -f ( versions 9.0.19 and 9.0.20 ONLY)
  • Stop the Control-M/Enterprise Manager Configuration Agent service (if not already stopped)
• Navigate to the temporary directory where you extracted the EM_And_Server_Windows_Remediate_Log4J.zip
• Run the following command to scan for vulnerabilities: 

                EM_Windows_Remediate_Log4J "%EM_HOME%" >> Log4jScannerOutput.txt


Output example  from Log4jScannerOutput.txt -

Scanning directory: C:\Program Files\BMC Software\Control-M EM\Default
[*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M EM\Default\bim\mticket\log4j-core-2.11.2.jar, log4j 2.11.2
...
Scanned XXXXX directories and XXXXXX files
Found XX vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Completed in 198.67 seconds
 

• Run the following command to replace any vulnerabilities found:

                EM_Windows_Remediate_Log4J  --replace "%EM_HOME%"

• The following question is displayed:
• This command will replace log4j2 binaries to a newer version. Are you sure [y/N]?
• Answer Y and press enter

NOTE: In order to run it in noninteractive mode use  --force flag.
i.e. run:
                EM_Windows_Remediate_Log4J --replace --force "%EM_HOME%"

Review the Output summary received and make sure the vulnerable files were fixed

Output example -

Scanned XXXX directories and XXXX files
Found X vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Replaced X files


Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impact in the Replaces number files 
Note: Run the scanner again to verify the vulnerabilities are fixed
 

Start the Control-M/Enterprise Manager Configuration Agent service


Unix / Linux rollback steps:

• If the log4j-api and log4j-slf files were updated, include them in the following rollback steps
• Stop Enterprise Manager with the same steps from above
• Open the Log4jScannerOutput.txt in the log4jScanner directory
• For each file that was updated:

• Start Enterprise Manager by running the command: start_all

Windows rollback steps:

• If the log4j-api and log4j-slf files were updated, include them in the following rollback steps.
• Stop the Control-M/Enterprise Manager Configuration Agent service
• Open the Log4jScannerOutput.txt found in the temporary directory where the patch was downloaded
• For each file that was updated:

• Start the Control-M/Enterprise Manager Configuration Agent service

Deleting vulnerable files backed up by the remediation procedure and upgrade procedure