For release 9.0.21:
Control-M Managed File Transfer or Managed File Transfer Enterprise 9.0.21 is released with log4j version 2.17.2.
Therefore release 9.0.21 is not vulnerable.
Verify the version of the log4j with the following commands:
Linux / Unix
jar tvf <agent home>/ctm_agent/ctm/cm/AFT/exe/ctmmft-client.jar | grep log4j-core
jar tvf <agent home>/ctm_agent/ctm/cm/AFT/exe/ctmmft-hub.jar | grep log4j-core
Windows
jar tvf <agent home>\ctm_agent\ctm\cm\AFT\exe\ctmmft-client.jar | findstr log4j-core
jar tvf <agent home>\ctm_agent\ctm\cm\AFT\exe\ctmmft-hub.jar | findstr log4j-core
NOTE: If 9.0.21 was upgraded from a previous version and the below remediation steps were not performed, or the backed up vulnerable files were not removed, please refer to the section Deleting vulnerable files backed up by the upgrade procedure.
For release 9.0.20 and below:
For all currently supported Control-M Managed File Transfer and Managed File Transfer Enterprise Gateway versions (9.0.18.*, 9.0.19.*, 9.0.20.*) use the following steps.
After applying this solution, the Log4j v2 is upgraded to version 2.17.0, resolving the above mentioned vulnerabilities.
Note: When the Remediate_Log4j script is executed, every jar that contains a vulnerable version of Log4j v2 is backed up in it's directory with the suffix ".bak" and upgraded to Log4j 2.17.0.
Managed File Transfer and Managed File Transfer Enterprise Hub:Unix/Linux:
- Download the file Agent_Unix_Remediate_Log4J.tar, that is attached to this article, to the home directory of the Control-M/Agent account
- Extract the tar file by running the command: tar -xvf Agent_Unix_Remediate_Log4J.tar
- After extracting, the following files and directory are present in the home directory:
- Agent_Unix_Remediate_Log4J.sh
- bmcLog4jScanner.jar
- log4j
- Ensure that no jobs are running on the agent, and stop the agent by running the command:
- Scan the Agent installation, logging the results with the command:
- Agent_Unix_Remediate_Log4J.sh > Log4jScannerOutput.txt
- Apply the remediation by running one of the following commands:
- To confirm before applying: Agent_Unix_Remediate_Log4J.sh -o replace
- To apply without confirmation: Agent_Unix_Remediate_Log4J.sh -o force
Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impact in the Replaces number files
- Restart the Agent by running the command:
Windows:
- Download the file Agent_Windows_Remediate_Log4J.zip, that is attached to this article, to the Agent host.
- Extract the zip file into the directory <Agent installation path>\Control-M Agent\<Agent instance> (Ex: C:\Program Files\BMC Software\Control-M Agent\Default)
- After extracting the zip, the following files and directory is present in the <Agent instance> directory:
- Agent_Windows_Remediate_Log4J.bat
- bmcLog4jScanner.jar
- log4j
- Note: If multiple agent instances are installed, this procedure must be performed for each instance
- Open a command prompt and navigate to the <Agent installation path>\Control-M Agent\<Agent instance> directory
- Example: cd C:\Program Files\BMC Software\Control-M Agent\Default
- Ensure no jobs are running on this agent and stop the Control-M/Agent service from Windows Services
- Scan the Agent installation, logging the results with the command:
- Agent_Windows_Remediate_Log4J.bat > Log4jScannerOutput.txt
- Apply the remediation by running one of the following commands:
- To confirm before applying: Agent_Windows_Remediate_Log4J.bat -o replace
- To apply without confirmation: Agent_Windows_Remediate_Log4J.bat -o force
Note: Also log4j-api and log4j-slf might be replaced to ensure log4j dependencies and this impact in the Replaces number files
7.Start the Agent service back from Windows Services.
Managed File Transfer and Managed File Transfer Enterprise Hub Rollback Steps
Unix/Linux:
- If the log4j-api and log4j-slf files were updated, include them in the following rollback steps
- Shutdown the Control-M/Agent using your standard steps
- Open the Log4jScannerOutput.txt
- For each file that was updated:
o Go to the relevant directory
o Rename the updated jar according to the list by running the command:
- mv <jar file> <jar file>.Log4Jupdate
- Rename the backup jar to the original name:
- mv <jar file>.bak <jar file>
- Start the Agent using your standard steps
Windows:
- If the log4j-api and log4j-slf files were updated, include them in the following rollback steps
- Shutdown the Control-M/Agent using your standard steps
- Open the Log4jScannerOutput.txt
- For each file that was updated:
- Go to the relevant directory
- Rename the updated jar according to the list and add a suffix with “.Log4Jupdate”
- Rename the backup jar (.bak) to the original name
- Start the Agent using your standard steps
Managed File Transfer Enterprise GatewayLinux only
- Download the file Agent_Unix_Remediate_Log4J.tar, that is attached to this article, to the home directory of the MFTe Gateway account
- Extract the tar file by running the command: tar -xvf Agent_Unix_Remediate_Log4J.tar
- After extracting, the following files and directory are present in the home directory:
- Agent_Unix_Remediate_Log4J.sh
- bmcLog4jScanner.jar
- log4j
- Stop the MFTe Gateway by running the command:
- ~/mft-proxy/exe/shut-mft-proxy.sh
- Scan the MFTe Gateway installation, logging the results with the command:
- Agent_Unix_Remediate_Log4J.sh > Log4jScannerOutput.txt
- Apply the remediation by running one of the following commands:
- To confirm before applying: Agent_Unix_Remediate_Log4J.sh -o replace
- To apply without confirmation: Agent_Unix_Remediate_Log4J.sh -o force
- Note: also log4j-api and log4j-slf might be replaced to ensure log4j dependencies
- Restart the MFTe Gateway by running the command:
- ~/mft-proxy/exe/start-mft-proxy.sh
Rollback steps:
- If the log4j-api and log4j-slf files were updated, include them in the following rollback steps
- Shutdown the MFTE gateway with the command:
- ~/mft-proxy/exe/shut-mft-proxy.sh
- Open the Log4jScannerOutput.txt
- For each file that was updated:
- Go to the relevant directory
- Rename the updated jar according to the list by running the command:
- mv <jar file> <jar file>.Log4Jupdate
- Rename the backup jar to the original name:
- mv <jar file>.bak <jar file>
- Start the MFTE gateway with the command:
- ~/mft-proxy/exe/start-mft-proxy.sh
Deleting vulnerable files backed up by the upgrade procedureIf 9.0.21 was upgraded from a previous version and the above remediation steps were not performed, or the backed up vulnerable files were not removed after remediation, the vulnerable files will be backed up to the BMCINSTALL/uninstall/<product code> directory
When you are sure that roll back is no longer needed to restore the original files or to ensure that backed up files are not picked up by some a later security scan, use one of the following procedures to hide the files from being detected:
1. Password compress the backed up files. The list of backed up files can be found in the Uninstall rollback procedure above.
2. Move the files to a safe location where the security scan will not detect them.