×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
TrueSight Server Automation 20.02 ... Release notes and notices Flashes

Notification of critical security issue in BMC Server Automation, CVE-2017-9453

BMC Software is alerting users to a security problem in the Process Spawner component of BMC Server Automation in versions earlier than 8.9.01 Patch 1.

If you are using BMC Server Automation 8.9.01 Patch 1, or 8.9.02 or later, no action is required. If you are using BMC Server Automation of version earlier than 8.9.01 patch 1, you must either upgrade to a version with the fix or perform the workaround listed below.

This topic includes the following sections:

Overview

Assigned CVE-IDs: CVE-2017-9453

CVSS Rating: CVSSv3 Score: 9.0 (details)

Problem

An authentication bypass vulnerability has been identified in the Process Spawner component of BMC Server Automation that may allow the attacker to execute commands in the context of the user running the Process Spawner on the system running the Process Spawner. Due to the severity of this vulnerability, BMC strongly recommends that customers apply the mitigation or the updates noted in this flash as soon as possible.

Mitigation

To mitigate the issue without upgrading you can disable the Process Spawner feature and stop the Process Spawner service.

  1. Using the blasadmin utility disable the application server from using the Process Spawner by running the below on each application server:
    blasadmin -a set ProcessSpawner SpawnExternally false
  2. Restart the application server service on each application server
  3. Stop and disable the Process Spawner Service
    1. If the application server is installed on Microsoft Windows, perform the following steps:
      1. Go to service manager.
      2. Locate BladeLogic Process Spawner service.
      3. Select and stop the service.
      4. Alter the startup type to Manual or Disabled
  4. If the application server is installed on Linux, perform the following steps:
    1. Stop the service by issuing the command: /etc/init.d/blprocserv stop. 
    2. Disable the service start by issuing the command: chkconfig blprocserv off

Solution

BMC Server Automation version 8.9.02 and 8.9.01.001 have the fix for this issue.  For information about upgrading to either version see the links in the table below:

BMC Server Automation Version

Download Page

Instructions

8.9.02

Error rendering macro 'link-window'

Failed to transform the HTML macro template for display. Nested message: The XML content could not be parsed. There is a problem at line 4, column 38. Parser message: Unexpected character '3' (code 51) (expected a name start character) at [row,col {unknown-source}]: [4,38]

Upgrading to the service pack

8.9.01 Patch 1

Downloading the patch

Upgrading to the patch

Where to go for additional information

If you have any questions about the issue, contact BMC Customer Support at 800 5371813 (United States or Canada) or call your local support center. 

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on Jul 20, 2021

Comments

Log in or register to comment.

Fix available for Apache Log4j vulnerabilities
Notification of action needed for users of TrueSight Server Automation Microsoft Windows Patching
© Copyright 1996-2020 BladeLogic, Inc. © Copyright 2014-2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2023 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.