How to remediate vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 in Control-M/Enterprise Manager and Control-M Workflow Insights? A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities. Follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue. |
For release 9.0.21:Control-M/Enterprise Manager is released with log4j version 2.17.1.
Therefore release 9.0.21 is not vulnerable. Verify the version of the log4j with the following files: Linux / Unix Example: ./ctm_em/archive/jars/dependency-jars/log4j-core-2.17.1.jar
./ctm_em/etc/emweb/tomcat/webapps/emThriftAPI/WEB-INF/lib/log4j-core-2.17.1.jar ./ctm_em/etc/emweb/tomcat/webapps/services-proxy/WEB-INF/lib/log4j-core-2.17.1.jar ./ctm_em/etc/emweb/tomcat/webapps/ClientSSO/WEB-INF/lib/log4j-core-2.17.1.jar ./ctm_em/etc/emweb/tomcat/webapps/ClientDeployServices/WEB-INF/lib/log4j-core-2.17.1.jar ./ctm_em/classes/log4j-core-2.17.1.jar NOTE: If 9.0.21 was upgraded from a previous version and the below remediation steps were not performed, or the backed up vulnerable files were not removed, please refer to the section Deleting vulnerable files backed up by the upgrade procedure.
For release 9.0.20 and below:For All Control-M/Enterprise Managers supported versions and related Fix Packs use the following steps.After applying this solution, the Log4j v2 is upgraded to version 2.17.0, resolving the above mentioned vulnerabilities. The following process must be run on all distributed Control-M/Enterprise Manager environments, as well as on the primary and secondary nodes of High Availability installations. Note: If Control-M Workflow Insights is later activated on the primary Control-M/Enterprise Manager and one or more secondary Insights installations, it is required to re-run the below Log4j scan and remediation steps on the primary EM and secondary hosts, even if it was run previously. Note: When the EM_XXXXXX_Remediate_Log4J is executed, every jar that contains a vulnerable version of Log4j v2 is backed up in it's directory with the suffix ".bak" and upgraded to Log4j 2.17.0. The utility can be executed as many times as required to confirm the vulnerabilities are fixed. Unix / Linux:
stop_config_agent em sca shutdown -f ( versions 9.0.19 and 9.0.20 ONLY)
em EM_Unix_Remediate_Log4J $HOME/BMCINSTALL >> Log4jScannerBMCINSTALLOutput.txt Output example from Log4jScannerOutput.txt - target Path is : /home/emuser BMC Vulnerability Scanner Scanning directory: /home/emuser [*] Found CVE-2021-44228 vulnerability in /home/emuser/ctm_em/etc/bim/mticket/log4j-core-2.11.2.jar, log4j 2.11.2 ... Scanned XXXX directories and XXXXX files Found XX vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Completed in 66.32 seconds Note: 1. Following warning can be ignored: Skipping broken jar file XXXXXXXX.zip ('MALFORMED') 2. If the scanned result is 0 directories and 0 files, check if the $HOME is resolved with a symbolic link path, otherwise use the absolute path.
em EM_Unix_Remediate_Log4J --replace $HOME/BMCINSTALL
NOTE: In order to run it in noninteractive mode use --force flag.
Windows:
Output example from Log4jScannerOutput.txt - Scanning directory: C:\Program Files\BMC Software\Control-M EM\Default [*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M EM\Default\bim\mticket\log4j-core-2.11.2.jar, log4j 2.11.2 ... Scanned XXXXX directories and XXXXXX files Found XX vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Completed in 198.67 seconds
i.e. run: EM_Windows_Remediate_Log4J --replace --force "%EM_HOME%" Review the Output summary received and make sure the vulnerable files were fixed Output example - Scanned XXXX directories and XXXX files Found X vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Replaced X files Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impact in the Replaces number files Note: Run the scanner again to verify the vulnerabilities are fixed Start the Control-M/Enterprise Manager Configuration Agent service Unix / Linux rollback steps:
• Go to the relevant directory
• Rename the updated jar according to the list by running the command:
mv <jar file> <jar file>.Log4Jupdate
• Rename the backup jar to the original name:
mv <jar file>.bak <jar file>
Windows rollback steps:
• Go to the relevant directory
• Rename the updated jar according to the list and add a suffix with: .Log4Jupdate
• Rename the backup jar (.bak) to the original name
Deleting vulnerable files backed up by the remediation procedure and upgrade procedure After applying the security vulnerability remediation procedure above, the original vulnerability files are kept on the disk with a ".bak" extension in case there is a need to roll back.
When you are sure that roll back is no longer needed to restore the original files or to ensure that backed up files are not picked up by some a later security scan, use one of the following procedures to hide the files from being detected: 1. Password compress the backed up files. The list of backed up files can be found in the Uninstall rollback procedure above. 2. Move the files to a safe location where the security scan will not detect them. Deleting vulnerable files backed up by the upgrade procedure
If 9.0.21 was upgraded from a previous version and the above remediation steps were not performed, or the backed up vulnerable files were not removed after remediation, the vulnerable files will be backed up to the BMCINSTALL/uninstall/<product code> directory When you are sure that roll back is no longer needed to restore the original files or to ensure that backed up files are not picked up by some a later security scan, use one of the following procedures to hide the files from being detected: 1. Password compress the backed up files. The list of backed up files can be found in the Uninstall rollback procedure above. 2. Move the files to a safe location where the security scan will not detect them. |