How to remediate vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 in Control-M Automation API?

Manage Support IDs

Use checkboxes to 'Remove support IDs/Users' or 'Allow to create Cases'
Support IDs for BMC Customer Support Site Guest User
Profiles Which Include    Back to All Support IDs
 

Knowledge Article

How to remediate vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 in Control-M Automation API?
How to remediate vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 in Control-M Automation API?
Control-M/Enterprise Manager
Control-M Automation API
Control-M/Enterprise Manager - all currently supported versions (9.0.18, 9.0.19, 9.0.20, 9.0.21)
Only Control-M Automation API version 9.0.20.215

For release 9.0.21:

Control-M Automation API 9.0.21 is not vulnerable. 
Note: If Control-M Automation API 9.0.21 is upgraded from a version below 9.0.20.230, the vulnerable files will be backed up in the file system and need to be addressed.  Refer to the Solution section to address the backed up vulnerable files.
 

For release 9.0.20 and below: 

After running the the EM_Unix_Remediate_Log4J or EM_Windows_Remediate_log4J script from KA 000392046, the following jar files are still listed as having the vulnerable log4j version:

Linux/Unix: 
$HOME/ctm_em/etc/emweb/automation-api/control-m.services.server-9.20.NNN.jar (Where NNN corresponds to the installed Automation API version)
$HOME/ctm_em/etc/emweb/configuration-api/control-m.services.config.server-9.20.0.jar

Windows: 
<Install Path>\Control-M EM\emweb\automation-api\control-m.services.server-9.20.NNN.jar (Where NNN corresponds to the installed Automation API version)
<Install Path>\Control-M EM\emweb\configuration-api\control-m.services.config.server-9.20.0.jar
CTM-6086 - Automation API's log4j version is upgraded to version 2.17.0 by upgrading Automation API to monthly release 9.0.20.230
Install the latest Automation API monthly version (9.0.20.230 or higher) to resolve this issue.

Instructions to install the latest monthly release can be found below:
https://docs.bmc.com/docs/automation-api/monthly/installation-1050383959.html

During the installation the vulnerable jars are backed up to the following location:

Linux/Unix:

${HOME}/ctm_em/etc/emweb/automation-api/control-m.services.server-9.20.NNN.jar
(Where NNN corresponds to the previous installed Automation API version)
${HOME}/ctm_em/install/PADEV.9.0.20.230/backup/etc/emweb/configuration-api/control-m.services.config.server-9.20.*.jar

Windows: 

<Install Path>\Control-M EM\emweb\automation-api\control-m.services.server-9.20.NNN.jar (Where NNN corresponds to the previous installed Automation API version)
<Install Path>\Control-M EM\install\PADEV.9.0.20.230\backup\emweb\configuration-api\control-m.services.config.server-9.20.*.jar

After verifying the environment, BMC recommends that you back up and delete these files. If you
need to roll back the patch, restore these files.
Control-M/Enterprise Manager
Control-M Automation API
Control-M/Enterprise Manager - all currently supported versions (9.0.18, 9.0.19, 9.0.20, 9.0.21)
Only Control-M Automation API version 9.0.20.215
Control-M/Enterprise Manager
Control-M Automation API
Control-M/Enterprise Manager - all currently supported versions (9.0.18, 9.0.19, 9.0.20, 9.0.21)
Only Control-M Automation API version 9.0.20.215
Attachment(s):