For all current BMC Helix Control-M Agent versions (9.0.20.080 and 9.0.20.180) use the following steps.
After applying this solution, the Log4j v2 is upgraded to version 2.17.0, resolving the above mentioned vulnerabilities.
Note: When the Remediate_Log4J script is executed, every jar that contains a vulnerable version of Log4j v2 is backed up in it's directory with the suffix ".bak" and upgraded to Log4j 2.17.0.
Linux:
- Login as the Agent user
- Shutdown the Control-M/Agent using your standard steps
- Verify no Agent processes are running
- Verify no jobs are running on the Agent
- Download the Agent_Unix_Remediate_Log4J.tar file from the following location into the Agent users home directory
- Extract the tar file with the following command: tar -xvf Agent_Unix_Remediate_Log4J.tar
- After extracting, the following files and directory are present in the home directory:
- Agent_Unix_Remediate_Log4J.sh
- bmcLog4jScanner.jar
- log4j
- Scan the Agent installation, logging the results with the command: Agent_Unix_Remediate_Log4J.sh > Log4jScannerOutput.txt
- Apply the remediation by running one of the following commands:
- To confirm before applying: Agent_Unix_Remediate_Log4J.sh -o replace
- To apply without confirmation: Agent_Unix_Remediate_Log4J.sh -o force
- Example output:
Agent_Unix_Remediate_Log4J.sh -o force
…
removed :
/home/dbauser/ctm_agent/ctm/toolbox/Usage_Measurement.jar
…
Agent utility ended
***** Start scanner in --force mode *****
…
Scanned XXXX directories and XXXXX files
Found X vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Replaced X files
- Note: also log4j-api and log4j-slf might be replaced to ensure log4j dependencies
- Start the Agent using your standard steps
Windows:
- Login to the Control-M/Agent host
- Download the Log4ShellApplicationsWindows.zip file from the following location into a temporary directory
- Extract the zip file into the directory <Agent installation path>\Helix Control-M Agent\<Agent instance> (Ex: C:\Program Files\BMC Software\Helix Control-M Agent\Default)
- After extracting the zip, the following files and directory is present in the <Agent instance> directory:
- Agent_Windows_Remediate_Log4J.bat
- bmcLog4jScanner.jar
- log4j
- Note: If multiple agent instances are installed, this procedure must be performed for each instance
- Open a command prompt and navigate to the <Agent installation path>\Helix Control-M Agent\<Agent instance> directory
- Example: cd C:\Program Files\BMC Software\Helix Control-M Agent\Default
- Ensure no jobs are running on this agent and stop the Control-M/Agent service from Windows Services
- Scan the Agent installation, logging the results with the command: Agent_Windows_Remediate_Log4J.bat > Log4jScannerOutput.txt
- Apply the remediation by running one of the following commands:
- To confirm before applying: Agent_Windows_Remediate_Log4J.bat -o replace
- To apply without confirmation: Agent_Windows_Remediate_Log4J.bat -o force
- Example output:
Agent_Windows_Remediate_Log4J.bat -o force
…
"***** Start scanner in force mode *****"
…
Deleted file - C:\Program Files\BMC Software\Helix Control-M Agent\Default\toolbox\Usa
ge_Measurement.jar
Agent cleanup done
…
BMC Vulnerability Scanner
Scanning directory: C:\Program Files\BMC Software\Helix Control-M Agent\Default
Scanned XXXX directories and XXXXX files
Found X vulnerable files
Found 0 potentially vulnerable files
Found 0 mitigated files
Replaced X files
- Note: also log4j-api and log4j-slf might be replaced to ensure log4j dependencies
- Start the Agent service back from Windows Services.
Rollback Steps:
Linux rollback:
- Shutdown the Control-M/Agent using your standard steps
- Open the Log4jScannerOutput.txt
- For each file that was updated:
o Go to the relevant directory
o Rename the updated jar according to the list by running the command:
- mv <jar file> <jar file>.Log4Jupdate
- Rename the backup jar to the original name:
- mv <jar file>.bak <jar file>
- Start the Agent using your standard steps
Windows rollback:
- Shutdown the Control-M/Agent using your standard steps
- Open the Log4jScannerOutput.txt
- For each file that was updated:
- Go to the relevant directory
- Rename the updated jar according to the list and add a suffix with “.Log4Jupdate”
- Rename the backup jar (.bak) to the original name
- Start the Agent using your standard steps