Notification of RSCD Agent security issues in TrueSight Server Automation

BMC Software is alerting users to security issues in RSCD Agents on all the platforms of version 21.3 of TrueSight Server Automation.

If you have any questions about the issue, contact  Customer Support.

Last updated: July 15, 2022


Issues

The following RSCD Agent security issues and other low severity issues have been addressed in this hotfix:

Severity

Affected RSCD Agents 

Issue

High 

Windows and UNIX RSCD Agents

Local privilege escalation

Medium 

Windows RSCD Agents

On a Windows domain controller, the BladeLogicRSCDDC user is assigned a default password.

We recommend that you immediately apply the hotfix as described in this topic.

Resolution

Download the hotfix required for your platform from the Patches tab of the following EPD website page and apply the hotfix. You must provide your BMC Support credentials to access the EPD website. You might also be prompted to complete the Export Compliance form.

EPD Download Link

Item name

File name

md5 checksum

Build number

TrueSight Server Automation 21.3 Open link

TSSA 21.3.00 Server Automation [x64] RSCD Agent Hotfix

RSCD_SecurityFixes_21-3_HF_V2.zip

38b4a3bf3a4515b6c38a50a76b26fceb

21.3.00.63

Important

  • This security hotfix is cumulative of the Rolling Update 1 for version 21.3, which adds support for Windows Server 2022.
  • The existing file, RSCD_SecurityFixes_<version>HF.zip has been removed from EPD on July 15, 2022, and replaced with a new file, RSCD_SecurityFixes_<version>HF_V2.zip.
  • Ignore the new file if you have applied the earlier fix by using RSCD_SecurityFixes_<version>HF.zip and the build number is 21.3.00.63.

Applying the hotfix

Depending on your requirements, apply the hotfix as described in the following sections:

Applying the hotfix to the standalone RSCD Agents

Upgrade the standalone existing RSCD Agents or install them.

Upgrading an existing RSCD Agent that is installed on a target server

Before you begin

Before upgrading an RSCD Agent on Windows domain controllers, ensure that the following prerequisites are met on each domain controller:

  • Change the BladeLogicRSCDDC password as per your company's password policies by using the chapw command. For instructions on changing the password, see Changing the BladeLogicRSCDDC account password on domain controllers.
  • Ensure that Administrators do not have the Delete permission on the HKEY_LOCAL_MACHINE\SAM\SAM node in the Windows Registry. By default, Administrators have the Read Control and Write DAC registry access permissions.


To upgrade an existing RSCD Agent that is installed on a target server

  1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.

    The extracted directory contains the TSSA<version>-RSCDAgents.zip file.

  2. Extract the TSSA<version>-RSCDAgents.zip file.

    The extracted directory contains the RSCD Agent installers (RSCD<version>-<platform>).

  3. Use one of the following methods to upgrade the RSCD Agent:

    1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory on a target server or the server where the TrueSight Server Automation Console (RCP Client) is installed.

      The extracted directory contains the PPC64LE_CT directory, which contains the version-neutral RSCDSECHF_LINPPC64LE.zip component templates file.

    2. In the TrueSight Server Automation console, right-click Component Templates, and select Import.

    3. Select Import(Version-neutral) as the import mode. 

    4. Browse to the RSCDSECHF_LINPPC64LE.zip file.

    5. Click Import

    6. Click Next and then click Finish to complete the wizard.

    7. Run the Compliance Job with the Auto-discovery check box selected against the ppc64le platform to list the compliant and non-compliant servers.

    8. If the Compliance Job identifies any non-compliant servers, run the Remediation Job to make them compliant.

    9. Verify that Live Browse of Unix Groups and Unix Users displays all the required values from the compliant servers.

  4. If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating or modifying Distribute Configuration Objects Jobs.

Installing (fresh) an RSCD Agent on a target server

  1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.

    The extracted directory contains TSSA<version>-RSCDAgents.zip.

  2. Extract the TSSA<version>-RSCDAgents.zip file.

    The extracted directory contains the RSCD Agent installers (RSCD<version>-<platform>).

  3. Use one of the following methods to install the RSCD Agent:

    1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory on a target server or the server where the TrueSight Server Automation Console (RCP Client) is installed.

      The extracted directory contains the PPC64LE_CT directory, which contains the version-neutral RSCDSECHF_LINPPC64LE.zip component templates file.

    2. In the TrueSight Server Automation console, right-click Component Templates, and select Import.

    3. Select Import(Version-neutral) as the import mode. 

    4. Browse to the RSCDSECHF_LINPPC64LE.zip file.

    5. Click Import

    6. Click Next and then click Finish to complete the wizard.

    7. Run the Compliance Job with the Auto-discovery check box selected against the ppc64le platform to list the compliant and non-compliant servers.

    8. If the Compliance Job identifies any non-compliant servers, run the Remediation Job to make them compliant.

    9. Verify that Live Browse of Unix Groups and Unix Users displays all the required values from the compliant servers.

Applying the hotfix to the RSCD Agents installed on Application Servers and Repeaters

Depending on the platform, use the instructions described in one of the following tabs:

    1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.

      The extracted directory contains TSSA<version>-RSCDAgents.zip file and the Windows_Appserver directory.

    2. Use one of the following methods to upgrade the RSCD Agent on the Windows Application Server or Windows Repeater:

    3. If you haven't applied the Rolling Update for version 21.3 already and you want support for Windows Server 2022, do the following steps:

      1. Copy and extract the /tmp/RSCD_SecurityFixes_<version>_HF /Windows_Appserver/RU2.zip file to temporary directory (for example /tmp1) on the Application Server.

      2. From the RU2 directory, execute the rollingUpdateInstaller.sh script by using the following command in shell terminal:

        nsh rollingUpdateInstaller.nsh

        The following message is displayed when the installation completes successfully and the logs also generated in same location:

        #### Rolling Update Completed Successfully #### 

      3. Repeat the steps a to c on every Application Server one by one.

        Warning

        Do not execute the steps on all Application Servers parallelly.

    4. If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating or modifying Distribute Configuration Objects Jobs.
    1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.

      The extracted directory contains TSSA<version>-RSCDAgents.zip file and the Linux_Appserver directory.

    2. Do the following steps to upgrade the RSCD Agent on an Application Server:

      1. Copy and extract the /tmp/RSCD_SecurityFixes_<version>_HF/Linux_Appserver/RU2.zip file to temporary directory (for example /tmp1) on the Application Server.

      2. From the RU2 directory, execute the rollingUpdateInstaller.sh script by using the following command in shell terminal:

        sh rollingUpdateInstaller.sh

        The following message is displayed when the installation completes successfully and the logs also generated in same location.

        #### Rolling Update Completed Successfully #### 

      3. Repeat the steps a to c on every Application Server one by one.

        Warning

        Do not execute the steps on all Application Servers parallelly.

    3. If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating or modifying Distribute Configuration Objects Jobs.


    Replacing the Patch Downloader Utility for Microsoft Windows

    If you haven't applied Rolling Update 1 for version 21.3 and planning to download Windows Server 2022 patches and bulletins, replace the existing utility with the utility bundled in the hotfix after you update the RSCD Agents.

    Before you begin

    Back up the configuration file that you had prepared for the existing utility.

    To replace the existing utility

    1. Extract RSCD_SecurityFixes_<version>_HF.zip to a temporary directory. The extracted directory contains the following files: 

      • Windows_Appserver\All-OS-Patch-Downloaders-linux-build-<version>.tar.gz  

      • Linux_Appserver\All-OS-Patch-Downloaders-windows-build-<version>.zip

    2. Depending on the platform, extract the compressed files:

      • (Windows) Extract the ZIP files using a file compression utility.

      • (Linux) Run the following command: tar  -xvf All-OS-Patch-Downloaders-<platform>-<build>-<version>.tar.gz

    3. (Linux only) Grant the permission to modify the extracted files: chmod -R 777 All-OS-Patch-Downloaders-<platform>-<build>-<version>

    4. Depending on the platform, use the instructions in the following topics to set up the utility.
      While preparing the configuration file for a platform, use the backed up configuration file as a reference.

    5. Add the following subscription tag in the sample-windows-downloader-config.xml file:

      <subscription>
        <products>
          <include-product>
            <product-category>Microsoft Windows Server 2022</product-category>
            <product-category-language>English</product-category-language>
          </include-product>
        </products>
      </subscription>

      -Patch-Downloades-windows-build-21.3.00.zi

    Was this page helpful? Yes No Submitting... Thank you

    Comments

    1. Pekka Tiittanen

      Process spawner seems to die during the fix installation on linux application servers and it has to be restarted manually after applying this fix.

      Apr 03, 2022 04:01
      1. Vignesh Kannan

        Hello Pekka Tittanen, We appreciate you bringing this to our attention. Our R&D team has discussed the issue and it will be addressed in upcoming hotfixes. Please keep in mind that future plans may change and we cannot provide specific details or timelines. For product enhancements, we suggest opening a support case and sharing your ideas on the TrueSight Server Automation BMC communities page: https://community.bmc.com/s/topic/0TO3n000000WJV0GAO/truesight-server-automation

        Regards, Vignesh K

        Jul 09, 2023 12:08