Important

   

Starting version 8.9.03, BMC Server Automation is renamed to TrueSight Server Automation. This space contains information about BMC Server Automation 8.9.02 and previous versions. For TrueSight Server Automation 8.9.03 and later releases, see TrueSight Server Automation 8.9.

Notification of critical security issue in BMC Server Automation, CVE-2017-9453

BMC Software is alerting users to a security problem in the Process Spawner component of BMC Server Automation in versions earlier than 8.9.01 Patch 1.

If you are using BMC Server Automation 8.9.01 Patch 1, or 8.9.02 or later, no action is required. If you are using BMC Server Automation of version earlier than 8.9.01 patch 1, you must either upgrade to a version with the fix or perform the workaround listed below.

This topic includes the following sections:


Overview

Assigned CVE-IDs: CVE-2017-9453

CVSS Rating: CVSSv3 Score: 9.0 (details)

Problem

An authentication bypass vulnerability has been identified in the Process Spawner component of BMC Server Automation that may allow the attacker to execute commands in the context of the user running the Process Spawner on the system running the Process Spawner. Due to the severity of this vulnerability, BMC strongly recommends that customers apply the mitigation or the updates noted in this flash as soon as possible.

Mitigation

To mitigate the issue without upgrading you can disable the Process Spawner feature and stop the Process Spawner service.

  1. Using the blasadmin utility disable the application server from using the Process Spawner by running the below on each application server:
    blasadmin -a set ProcessSpawner SpawnExternally false
  2. Restart the application server service on each application server
  3. Stop and disable the Process Spawner Service
    1. If the application server is installed on Microsoft Windows, perform the following steps:
      1. Go to service manager.
      2. Locate BladeLogic Process Spawner service.
      3. Select and stop the service.
      4. Alter the startup type to Manual or Disabled
  4. If the application server is installed on Linux, perform the following steps:
    1. Stop the service by issuing the command: /etc/init.d/blprocserv stop. 
    2. Disable the service start by issuing the command: chkconfig blprocserv off

Solution

BMC Server Automation version 8.9.02 and 8.9.01.001 have the fix for this issue.  For information about upgrading to either version see the links in the table below:


BMC Server Automation Version

Download Page

Instructions

8.9.02

Downloading the service pack

Upgrading to the service pack

8.9.01 Patch 1

Downloading the patch

Upgrading to the patch

Where to go for additional information

If you have any questions about the issue, contact BMC Customer Support at 800 5371813 (United States or Canada) or call your local support center. 

Was this page helpful? Yes No Submitting... Thank you

Comments