Fix available for Apache Log4j vulnerabilities

or register to view the contents of this page.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Gilbert Morcel

    Hi

    Some remarks: 

    This kind of error message is not listed : 

     [Fri Dec 24 11:12:39 2021] -    Replacing single file rest.war in webapps

    chown: Unable to change ownership of file /cygdrive/C/PROGRA~1/BMCSOF~1/BLADEL~1/appserver/NSH/br/deployments/_template/tomcat/webapps/rest.war: Invalid argument

    [Fri Dec 24 11:12:39 2021] -    File rest.war is replaced successfully

    [Fri Dec 24 11:12:39 2021]

    ==>I decided to ignore this kind of error messages ( chown is not applicable in Windows )

    some strange message :

    [Fri Dec 24 11:56:06 2021] -    Backing up Deployment file - autoupgrade-rest.war in /cygdrive/C/Program

    ==> Found autoupgrade-rest.war  in C:\Program Files\BMC Software\BladeLogic\BSA21.3.00.38RU2Backup_24.12.2021_11.55.15\deployments , so this is just a display bug ( line is not folded.. it's truncated )

    Dec 24, 2021 07:23
    1. Vignesh Kannan

      Hello Golbert Morcel,

      Thank you for your comment. Kindly disregard this warning message.


      Regards,
      Vignesh K

      Jun 14, 2023 12:20
  2. Gilbert Morcel

    Chapter "After applying the hotfix on the Application Server" is obviously sloppy: - actions regarding the file server have not to be here ! I have 4 app servers, one file server !! - you have to search for 4 differents files, and have instructions just for 2 types of files!! what must we do with rhev.zip and jpavmware.zip which are in differents UUID and without jar in subfolders ??

    Dec 24, 2021 08:13
    1. Vignesh Kannan

      Hello Gilbert Morcel,

      Thank you for your comment!


      You must remove the rhev.zip and jpavmware.zip even if they are in different UUIDs. Before removing the zip, make sure that none of the subfolders beneath the UUID contain the most recent log4j jars, such as log4j-api-2.17.1.jar or log4j-core-2.17.1.jar.

      Regards,
      Vignesh K

      Jun 19, 2023 07:36
  3. Greg Michael

    The installer for the RCP console properly determines whether or not the console is running and if found kills it. It does not determine whether or not an NSH Shell is running. The installer will hang silently waiting for the NSH Shell to exit. It took almost 2 minutes after I found and closed my NSH shell window before the installer continued.

    Jan 25, 2022 04:39
    1. John O'Toole

      Hi Greg,

      Did you observe this while running the full RCP Console installer i.e.

      (Windows) (32-bit) x32\TSSACONSOLE2002P1-122-WIN32.exe (64-bit) x64\TSSACONSOLE2002P1-122-WIN64.exe

      (Linux, 64-bit) ./TSSACONSOLE2002P1-122-LIN64.bin

      or the Rolling Update RCP Console installer on an Application Server?

      Jan 26, 2022 08:41
      1. Greg Michael

        Yes, this was observed while running the HF installer for the RCP console, with both the RCP console running as well as an NSH Shell window.

        Jan 26, 2022 06:24
    1. Vignesh Kannan

      Hello Greg Michael,
      Thank you for your comment!

      While installing or upgrading the console, kindly stop all the services and close all the NSH prompts. 


      Regards,
      Vignesh K

      Jun 20, 2023 06:47
      1. Greg Michael

        The point was that it waits silently for the other processes to exit. If there were an error message or a pop-up to either remind users to close any open windows, or the installer would check for and close/kill those processes, customers wouldn't be confused waiting for the installer to run and see nothing happening. Hindsight is 20/20, but foresight is better!

        Jun 20, 2023 10:11
        1. Vignesh Kannan

          Hello Greg Michael,

          This improvement is not presently available in the current version. As a future roadmap for TrueSight Server Automation there are plans to develop this. However, please note that the future plan decisions may be subject to change, and we cannot comment on specific plans and timelines. We recommend raising a support case for product enhancements and sharing your ideas on the BMC communities page for TrueSight Server Automation: https://community.bmc.com/s/topic/0TO3n000000WJV0GAO/truesight-server-automation.


          Regards,
          Vignesh K

          Jun 29, 2023 02:09
  4. John O'Toole

    On the page for TSSA 21.3 RU1 we have the following:

    https://docs.bmc.com/docs/serverautomation/213/rolling-update-1-for-version-21-3-1049126743.html

    Important The hotfix released for the Apache Log4j vulnerabilities and the 21.3 Rolling Update 1 are independent of each other. You can apply them in any sequence.

    We should add a corresponding note on this page so customers get this information regardless of which hotfix doc page they view.

    Mar 31, 2022 01:13
    1. Vignesh Kannan

      Hello John O'Toole,

      Thank you for your input!

      The relevant notice has been added to this page.


      Regards,

      Vignesh K

      Jun 26, 2023 12:47
  5. Nitin Murkute

    Hi Team,

    Should we use the same procedure of Log4j fix to apply "TrueSight Server Automation 21.3.00 for Windows Spring4Shell Hotfix" after applying Log4JShell Hotfix on top of upgraded TSSA 21.3 ? Or just can run rollingUpdateInstaller.nsh for TSSA_SPRING4SHELL_WIN_21-3_HF_v1 ?

    Jun 02, 2022 11:36
    1. Vignesh Kannan

      Hello Nitin Murkute,

      Thanks for your comment!
      We cannot use the same procedure.


      Regards,

      Vignesh K

      Jun 14, 2023 03:30