Notification of action required by PATROL Agent users to apply the security patch


BMC Software is alerting PATROL Agent users that they must apply the PATROL agent security patch security patch on PATROL Agents running on Linux. 

Issue

Issue numberCVE-2019-17044

CVSS v3 base score: 6.7 (medium)

For PATROL Agents running on Linux, the PATROL user can escalate privileges to the root user using a library that can be tampered by the PATROL user.

Solution

Apply PATROL agent security patch on PATROL Agents running on Linux.

You can apply the security patch using one of the following methods:

  • Applying the security patch using the TrueSight console
    This is applicable to TrueSight Operations Management 10.7 or later and PATROL Agent 10.7 or later.

  • Applying the security patch using the PATROL Installation Utility
    This is applicable to PATROL Installation Utility 10.7 or later

Applying the security patch using the TrueSight console

Do the following: 

Step 1 — To download the patch

Download the security patch from this location: piaSecurityPatch_LINUX_20191208.zip

Step 2 —  To import the patch

  1. Log in to the TrueSight console. 
  2. Go to Administration > Repository, and select the Installation Components tab.
  3. ClickImport.
  4. In the Import a Repository or Solution dialog box, select Single Solution.
  5. Click Browse to browse and select the security patch archive file from your local computer's file system.
    The selected file is displayed in the File Selected: box.
  6. Click Import .
    The selected archive file is imported to the repository and extracted. You can close the window during the import process.

  7. After successful import, you can see the following patch file listed on the Installation Components page:
    PATROL agent security patch

Step 3 —  To create a deployable package

  1. Log in to the TrueSight console. 

  2. Go to Administration > Repository, and select the Deployable Packages tab.

  3. ClickCreate Deployable Package.

  4. On the Installation Package Solution Selection page, select the Linux operating system, and select a platform on which you want to install the package. 
    The list of components in the repository that are supported on Linux and platform is displayed.
  5. Select PATROL agent security patch to include in the package.

  6. From the Version list, select the version of the component that you want to include in the package.
    By default, the latest version available in the Presentation Server is selected. Select latest to automatically update the package with latest versions of components when they are imported to the Presentation Server.

  7. Provide PATROL Agent related information, and click Next:

    1. Specify the installation directory.

    2. Specify the PATROL 3.x product directory.
      Follow the instructions in the Important Information section of the wizard.

    3. Provide the System Root account details.
  8. In the Installation Package Details window, enter the following information:

    • Name: The name of the deployable package. It can contain only A-Z, a-z, 0-9, and underscore (_).
    • (Optional)Description: Enter a description of the package.
      The description is displayed in the list of deployable packages.
    • Format: The default file format for the operating system is automatically selected. Select a different format if required.
  9. Do one of the following:

    • Click Save, if you want to deploy the patch from the TrueSight console.

    • Click Save and Download, if you want to apply the patch using the silent installer.

  10. Click Close.

Step 4A —  To apply the patch using the TrueSight console

  1. Log in to the TrueSight console. 
  2. Go to Configuration>Managed Devices.
  3. Expand the entries list to display the PATROL Agents that you want to deploy and install the package to.

    Deploying the security patch to multiple PATROL Agent instances

    You can deploy the security patch to multiple PATROL Agent instances that are running on the same host.

  4. From the action menu for the PATROL Agent, select Deploy and Install Packages

    Notes

    If you are simultaneously deploying the package to multiple PATROL Agents, you can use the action menu from the column heading to deploy the package to the selected PATROL Agents.

  5. Select the package that you want to deploy to the PATROL Agent and select Deploy and Install.

    Note

    • Deploying a package restarts the PATROL Agent.
    • During a deployment, if an Integration Service is disconnected, the deployment continues when the Integration Service is reconnected.
  6. View the status in the Deploy Status column. 

Step 4B —  To apply the patch using the silent installer

Do the following:

  1. Copy the downloaded package to a host computer where you intend to install the security patch. 
  2. Extract the package, and run the RunSilentInstall file to install the patch.

Applying the security patch using the PATROL Installation Utility

Do the following:

  1. Stop the PATROL Agent.
  2. Back up the PATROL_CACHE directory.
  3. Stop the PATROL applications or PATROL processes that are running.
  4. Back up the PATROL_HOME/lib/knowledge and PATROL_HOME/lib/psl directories.
  5. Download the security patch from this location: piaSecurityPatch_LINUX_20191030.zip
  6. Extract the downloaded security patch. The contents of the files are extracted into the bmc_products sub-directory. 

  7. From the bmc_products directory, run the following command to start the installation Web server:

    ./setup.sh -serveronly
    Note: A message box is displayed that shows the URL that you can use to connect to the installation Web server.

  8. On another computer with a browser, start the browser.
  9. Connect to the installation Web server from the browser to start the installation utility by using the URL that is displayed in the message box on the computer on which you are installing the product.

  10. Click Next on the Welcome to the Installation Utility window to begin your installation.

  11. Follow the on-screen instructions until the Select Products and Components to Install page is displayed.
  12. On the Select Products and Components to Install page, select PATROL agent security patch.

  13. Follow the on-screen instructions to complete the installation. 

Acknowledgement

BMC would like to thank the following individuals for responsibly disclosing this vulnerability to us:

Jan Kopec and Charles d'Hondt from LEXFO. 

Was this page helpful? Yes No Submitting... Thank you

Comments