This documentation supports the 9.1 version of Remedy Action Request System.

To view the latest version, select the version from the Product version menu.

Critical Remote Code Execution (RCE) vulnerability in Remedy Mid Tier

BMC Software is alerting users to a serious problem that requires immediate attention in versions 9.1, 18.05, 18.08, and 19.02 of the Remedy AR System product. If you have any questions about the problem, contact Customer Support.

June 11, 2019

SW00558551: Critical Remote Code Execution (RCE) vulnerability in Remedy Mid Tier (CVE-2019-12740)


Issue

BMC Software has identified an unauthenticated Remote Code Execution (RCE) vulnerability in Remedy Mid Tier.

Mid Tier versions 9.1, 18.05, 18.08, and 19.02 service packs, and patches are affected by this vulnerability.

Resolution

Perform the following steps to resolve this issue:

  1. Ensure that the base version of Mid Tier is as follows:
    • For Mid Tier version 9.1—Base version must be Patch 1 for 9.1 Service Pack 3 (9.1.03.001) or Patch 2 for 9.1 Service Pack 4 (9.1.04.002)
    • For Mid Tier version 18.05—Base version must be 18.05 or Patch 5 for version 18.05 (18.05.005)
    • For Mid Tier version 18.08—Base version must be Patch 1 for version 18.08 (18.08.01)
    • For Mid Tier version 19.02—Base version must be 19.02
  2. Download the hot fix from ftp://ftp.bmc.com/pub/ARRecommendedFixes/Midtier.
  3. Deploy the hot fix as described in the Readme file provided with each hot fix bundle.
  4. Edit the web.xml file located in the <midTierInstallDirectory>/WEB-INF directory. For information about the steps to be followed, see the Additional Instructions section in the Readme files.
Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Dirk Reuter

    Hello,

    We must ensure for our customers that the older versions are not affected. Has this been tested, or are only the supported versions listed here?

    Best regards, Dirk

    Jun 12, 2019 12:32
    1. Surabhee Kulkarni

      Hello Dirk,

      Thank you for your comment. It is likely that these older unsupported versions are also affected by this vulnerability. The customers will need to upgrade to the current supported version and then apply the hot fix provided. BMC has tested only the supported versions.

      Thanks and regards,
      Surabhee

      Jun 13, 2019 12:40
      1. Rudolf Brenner

        Hello Surabhee, Versions 9.0.00, 9.0.01, 9.1.00 and 9.1.02 still have not yet reached "End of Support Date". Does BMC not provide vulnerability hot fixes for these versions? Thanks, Rudolf

        Jun 13, 2019 01:06
        1. Surabhee Kulkarni

          Hello Rudolf,

          Thank you for your comment.

          Currently, we have provided hot fixes for 9.1, 18.05, 18.08, and 19.02 versions.

          For version 9.1, the base version must be Patch 1 for 9.1 Service Pack 3 (9.1.03.001) or Patch 2 for 9.1 Service Pack 4 (9.1.04.002) to apply this hot fix.

          For information about the earlier versions, could you please contact BMC Customer Support?

          Thanks and regards,
          Surabhee

          Jun 16, 2019 07:54
  2. Guruprasad Balachandra

    Same question. the patch mentions specific version of 9.1. i.e. 9.1.03.001 or 9.1.04.002. for e.g. does it impact this version : 9.1.04 201711272256

    Jun 12, 2019 07:32
    1. Surabhee Kulkarni

      Hello Guruprasad,

      Thank you for your comment. Version 9.1 is affected by this vulnerability. The base version must be Patch 1 for 9.1 Service Pack 3 (9.1.03.001) or Patch 2 for 9.1 Service Pack 4 (9.1.04.002) to apply this hot fix.

      Thanks and regards,
      Surabhee 

      Jun 13, 2019 12:42
  3. Abdul moid Mohammed

    Hi Everyone,

    Deployment went on well on one of our DEV Environment with Standalone ARS,Midtier,DWP,RSSO We are experiencing issues with Our TST environment where in Deployment shows it started but will not update either the deployer logs or the files at this enviornment,this environment has 2-App Servers,1-Midtier,1-RSS) and 1-DWP,we have removed one of the server from AR Server setting on Midtier's config page but still the issue persists. We already have a case with BMC but yet to the response,its been almost a week we are trying to figure out this issue and its resolution. Appreciate response or any of the workarounds to overcome this issue at the earliest.

    Thanks;--Abdul Moid

    Jun 25, 2019 02:28