How to remediate vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 in Control-M/Server? A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities. Follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue. |
For release 9.0.21:Control-M/Server is release with log4j version 2.17.1.Therefore release 9.0.21 is not vulnerable. Verify the version of the log4j with the following files: Linux / Unix Example ./ctm_server/exe_Linux-x86_64/log4j-core-2.17.1.jar
./ctm_server/exe_Linux-x86_64/CtmCeApplication/BOOT-INF/lib/log4j-core-2.17.1.jar NOTE: If 9.0.21 was upgraded from a previous version and the below remediation steps were not performed, or the backed up vulnerable files were not removed, please refer to the section Deleting vulnerable files backed up by the upgrade procedure.
For release 9.0.20 and below:For all Control-M/Servers supported versions and related Fix Packs use the following steps.After applying this solution, the Log4j v2 is upgraded to version 2.17.0, resolving the above mentioned vulnerabilities. The following process must be run on all Control-M/Servers environments, as well as on the primary and secondary nodes of High Availability installations. Note: When the CTM_XXXXXX_Remediate_Log4J is executed, every jar that contains a vulnerable version of Log4j v2 is backed up in it's directory with the suffix ".bak" and upgraded to Log4j 2.17.0. The utility can be executed as many times as required to confirm the vulnerabilities are fixed. Note: For versions 9.0.19 or 9.0.20, before starting this procedure, please remediate the Local Control-M Agent according to the Knowledge article 000391425. Unix / Linux:
CTM_Unix_Remediate_Log4J $HOME/ctm_server >> Log4jScannerOutput.txt
CTM_Unix_Remediate_Log4J $HOME/BMCINSTALL >> Log4jScannerBMCINSTALLOutput.txt
CTM_Unix_Remediate_Log4J $HOME/patches >> Log4jScannerPatchesOutput.txt
Output example from version 9.0.20 Log4jScannerOutput.txt - Scanning directory: /home/ctm20pg [*] Found CVE-2021-44228 vulnerability in /home/ctm20pg/ctm_server/exe_Linux-x86_64/log4j-core-2.11.2.jar, log4j 2.11.2 [*] Found CVE-2021-44228 vulnerability in /home/ctm20pg/ctm_server/exe_Linux-x86_64/CtmCeApplication-ctms.jar (BOOT-INF/lib/log4j-core-2.11.2.jar), log4j 2.11.2 [*] Found CVE-2021-44228 vulnerability in /home/ctm20pg/exe_Linux-x86_64_fp22_orig/log4j-core-2.11.2.jar, log4j 2.11.2 [*] Found CVE-2021-44228 vulnerability in /home/ctm20pg/exe_Linux-x86_64_fp22_orig/CtmCeApplication-ctms.jar (BOOT-INF/lib/log4j-core-2.11.2.jar), log4j 2.11.2 … Scanned XXXX directories and XXXXX files Found XX vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Completed in XX.XX seconds Note: 1. Following warning can be ignored: Skipping broken jar file XXXXXXXX.zip ('MALFORMED') 2. If the scanned result is 0 directories and 0 files, check if the $HOME is resolved with a symbolic link path, otherwise use the absolute path.
CTM_Unix_Remediate_Log4J --replace $HOME/ctm_server
CTM_Unix_Remediate_Log4J --replace $HOME/BMCINSTALL
CTM_Unix_Remediate_Log4J --replace $HOME/patches
i.e. run: CTM_Unix_Remediate_Log4J --replace --force $HOME/ctm_server
Review the Output summary received and make sure the vulnerable files were fixed Output example - ... Scanned XXXX directories and XXXXX files Found X vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Replaced X files Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impact in the Replaces number files Note: Run the scanner again to verify the vulnerabilities are fixed
Windows:
CTM_Windows_Remediate_Log4J "<Control-M/Server installation directory>" >> Log4jScannerOutput.txt
For example, if Control-M/Server is installed in C:\Program Files\BMC Software\Control-M Server, The command will look like: CTM_Windows_Remediate_Log4J “C:\Program Files\BMC Software\Control-M Server" >> Log4jScannerOutput.txt
Output example from Log4jScannerOutput.txt - Scanning directory: C:\Program Files\BMC Software\Control-M Server [*] Found CVE-2021-44228 vulnerability in C:\Program Files\BMC Software\Control-M Server\exe\log4j-core-2.11.2.jar, log4j 2.11.2 ... Scanned XXXXX directories and XXXXXX files Found XX vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Completed in xxx.xx seconds
CTM_Windows_Remediate_Log4J --replace "<Control-M/Server installation directory>"
For example, if Control-M/Server is installed in C:\Program Files\BMC Software\Control-M Server, the command will look like: CTM_Windows_Remediate_Log4J --replace “C:\Program Files\BMC Software\Control-M Server"
i.e. run: CTM_Windows_Remediate_Log4J –replace --force “C:\Program Files\BMC Software\Control-M Server"
Review the Output summary received and make sure the vulnerable files were fixed Output example - Scanned XXXX directories and XXXXX files Found X vulnerable files Found 0 potentially vulnerable files Found 0 mitigated files Replaced X files Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impact in the Replaces number files Note: Run the scanner again to verify the vulnerabilities are fixed
------------------------------------------------------------------------------------------------------------------------------------------------------- Note: After remediation, when upgrading to a higher level Fix Pack or a Version (below 9.0.21), these same remediation steps need to be repeated. An upgrade to a higher release will overwrite the log4j remediated libraries and therefore the remediation procedure needs to be repeated. ------------------------------------------------------------------------------------------------------------------------------------------------------ Unix / Linux rollback steps:
• Go to the relevant directory
• Rename the updated jar according to the list by running the command:
mv <jar file> <jar file>.Log4Jupdate
• Rename the backup jar to the original name:
mv <jar file>.bak <jar file>
Windows rollback steps:
• Go to the relevant directory
• Rename the updated jar according to the list and add a suffix with: .Log4Jupdate
• Rename the backup jar (.bak) to the original name
------------------------------------------------------------------------------------------------------------------------------------------------------- Deleting the backed up vulnerability files After applying the security vulnerability remediation procedure above, the original vulnerability files are kept on the disk with a ".bak" extension in case there is a need to roll back.
When you are sure that rollback is no longer needed to restore the original files or to ensure that backed up files are not picked up by some later security scan, use one of the following procedures to hide the files from being detected: 1. Password compress the backed up files. The list of backed up files can be found in the Uninstall rollback procedure above. 2. Move the files to a safe location where the security scan will not detect them. Deleting vulnerable files backed up by the upgrade procedure If 9.0.21 was upgraded from a previous version and the above remediation steps were not performed, or the backed up vulnerable files were not removed after remediation, the vulnerable files will be backed up to the BMCINSTALL/uninstall/<product code> directory When you are sure that roll back is no longer needed to restore the original files or to ensure that backed up files are not picked up by some a later security scan, use one of the following procedures to hide the files from being detected: 1. Password compress the backed up files. The list of backed up files can be found in the Uninstall rollback procedure above. 2. Move the files to a safe location where the security scan will not detect them. |