For release 9.0.21:Control-M Automation API 9.0.21 is not vulnerable. For release 9.0.20 and below:After running the the EM_Unix_Remediate_Log4J or EM_Windows_Remediate_log4J script from KA 000392046, the following jar files are still listed as having the vulnerable log4j version:Linux/Unix: $HOME/ctm_em/etc/emweb/automation-api/control-m.services.server-9.20.NNN.jar (Where NNN corresponds to the installed Automation API version) $HOME/ctm_em/etc/emweb/configuration-api/control-m.services.config.server-9.20.0.jar Windows: <Install Path>\Control-M EM\emweb\automation-api\control-m.services.server-9.20.NNN.jar (Where NNN corresponds to the installed Automation API version) <Install Path>\Control-M EM\emweb\configuration-api\control-m.services.config.server-9.20.0.jar |
Install the latest Automation API monthly version (9.0.20.230 or higher) to resolve this issue. Instructions to install the latest monthly release can be found below: https://docs.bmc.com/docs/automation-api/monthly/installation-1050383959.html During the installation the vulnerable jars are backed up to the following location: Linux/Unix: ${HOME}/ctm_em/etc/emweb/automation-api/control-m.services.server-9.20.NNN.jar (Where NNN corresponds to the previous installed Automation API version) ${HOME}/ctm_em/install/PADEV.9.0.20.230/backup/etc/emweb/configuration-api/control-m.services.config.server-9.20.*.jar Windows: <Install Path>\Control-M EM\emweb\automation-api\control-m.services.server-9.20.NNN.jar (Where NNN corresponds to the previous installed Automation API version) <Install Path>\Control-M EM\install\PADEV.9.0.20.230\backup\emweb\configuration-api\control-m.services.config.server-9.20.*.jar After verifying the environment, BMC recommends that you back up and delete these files. If you need to roll back the patch, restore these files. |