Notification of RSCD Agent security issues in TrueSight Server Automation

BMC Software is alerting users to security issues in RSCD Agents on all the platforms of version 21.3 of TrueSight Server Automation.

If you have any questions about the issue, contact Customer Support.

Last updated: July 15, 2022

Issues

The following RSCD Agent security issues and other low severity issues have been addressed in this hotfix:

Severity	Affected RSCD Agents	Issue
High	Windows and UNIX RSCD Agents	Local privilege escalation
Medium	Windows RSCD Agents	On a Windows domain controller, the BladeLogicRSCDDC user is assigned a default password.

We recommend that you immediately apply the hotfix as described in this topic.

Resolution

Download the hotfix required for your platform from the Patches tab of the following EPD website page and apply the hotfix. You must provide your BMC Support credentials to access the EPD website. You might also be prompted to complete the Export Compliance form.

EPD Download Link	Item name	File name	md5 checksum	Build number
TrueSight Server Automation 21.3	TSSA 21.3.00 Server Automation [x64] RSCD Agent Hotfix	RSCD_SecurityFixes_21-3_HF_V2.zip	^{38b4a3bf3a4515b6c38a50a76b26fceb}	21.3.00.63

Important

This security hotfix is cumulative of the Rolling-Update-1-for-version-21-3, which adds support for Windows Server 2022.
The existing file, RSCD_SecurityFixes_<version>HF.zip has been removed from EPD on July 15, 2022, and replaced with a new file, RSCD_SecurityFixes_<version>HF_V2.zip.
Ignore the new file if you have applied the earlier fix by using RSCD_SecurityFixes_<version>HF.zip and the build number is 21.3.00.63.

Applying the hotfix

Depending on your requirements, apply the hotfix as described in the following sections:

Applying the hotfix to the standalone RSCD Agents
Applying the hotfix to the RSCD Agents installed on Application Servers and Repeaters
(Optional) Replacing the existing Patch Downloader utility for Windows
If you haven't already applied Rolling-Update-1-for-version-21-3 and planning to download Windows Server 2022 patches and bulletins, replace the existing Patch Downloader utility with the utility bundled in the hotfix after you update the RSCD Agent.

Applying the hotfix to the standalone RSCD Agents

Upgrade the standalone existing RSCD Agents or install them.

Upgrading an existing RSCD Agent that is installed on a target server
Installing (fresh) an RSCD Agent on a target server

Upgrading an existing RSCD Agent that is installed on a target server

Before you begin

Before upgrading an RSCD Agent on Windows domain controllers, ensure that the following prerequisites are met on each domain controller:

Change the BladeLogicRSCDDC password as per your company's password policies by using the chapw command. For instructions on changing the password, see Changing-the-BladeLogicRSCDDC-account-password-on-domain-controllers.
Ensure that Administrators do not have the Delete permission on the HKEY_LOCAL_MACHINE\SAM\SAM node in the Windows Registry. By default, Administrators have the Read Control and Write DAC registry access permissions.

To upgrade an existing RSCD Agent that is installed on a target server

Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.
The extracted directory contains the TSSA<version>-RSCDAgents.zip file.
Extract the TSSA<version>-RSCDAgents.zip file.
The extracted directory contains the RSCD Agent installers (RSCD<version>-<platform>).

Use one of the following methods to upgrade the RSCD Agent:

(Method 1) Create and run the Agent Installer Job. For more information, see Creating-an-agent-bundle and Creating-an-Agent-Installer-Job.

(Method 2) Use one of the methods described in the following table:

Method	Reference (Windows)	Reference (Linux/Unix)
Interactive installation	Upgrading-the-RSCD-agent-on-Windows	Upgrading-the-RSCD-agent-on-Linux-and-UNIX
Silent installation	Silently-upgrading-Windows-agents	Silently-upgrading-Linux-and-UNIX-agents Using-silent-mode-to-upgrade-components-on-Linux-or-UNIX Upgrading-NSH-and-the-RSCD-agent-using-the-Solaris-SVR4-package-installer Upgrading-the-Network-Shell-or-the-RSCD-agent-using-RPM

If you have RSCD Agents on ppc64le platform, do the following steps:
1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory on a target server or the server where the TrueSight Server Automation Console (RCP Client) is installed.
  The extracted directory contains the PPC64LE_CT directory, which contains the version-neutral RSCDSECHF_LINPPC64LE.zip component templates file.
2. In the TrueSight Server Automation console, right-click Component Templates, and select Import.
3. Select Import(Version-neutral) as the import mode.
4. Browse to the RSCDSECHF_LINPPC64LE.zip file.
5. Click Import.
6. Click Next and then click Finish to complete the wizard.
7. Run the Compliance Job with the Auto-discovery check box selected against the ppc64le platform to list the compliant and non-compliant servers.
8. If the Compliance Job identifies any non-compliant servers, run the Remediation Job to make them compliant.
9. Verify that Live Browse of Unix Groups and Unix Users displays all the required values from the compliant servers.
If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.

Installing (fresh) an RSCD Agent on a target server

Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.
The extracted directory contains TSSA<version>-RSCDAgents.zip.
Extract the TSSA<version>-RSCDAgents.zip file.
The extracted directory contains the RSCD Agent installers (RSCD<version>-<platform>).

Use one of the following methods to install the RSCD Agent:

(Method 1) Create and run the Agent Installer Job. For more information, see Creating-an-agent-bundle and Creating-an-Agent-Installer-Job.

(Method 2) Use one of the methods described in the following table:

Method	Reference (Windows)	Reference (Linux/Unix)
Interactive installation	Installing-the-RSCD-agent-Windows (Required only when installing the RSCD Agent on a domain controller) During installation, provide password (mandatory) for the BladeLogicRSCDDC user.	Installing-only-the-RSCD-agent-Linux-and-UNIX
Silent installation	Using-silent-mode-to-install-an-RSCD-agent-Windows (Required only when installing the RSCD Agent on a domain controller) During installation, provide password (mandatory) for the BladeLogicRSCDDC user by using the following command: msiexec /I RSCD.msi <Existing options> BLADELOGICDCUSERPASSWORD=<password>	Using-silent-mode-to-install-the-RSCD-agent-Linux-and-UNIX

If you have RSCD Agents on ppc64le platform, do the following steps:
1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory on a target server or the server where the TrueSight Server Automation Console (RCP Client) is installed.
  The extracted directory contains the PPC64LE_CT directory, which contains the version-neutral RSCDSECHF_LINPPC64LE.zip component templates file.
2. In the TrueSight Server Automation console, right-click Component Templates, and select Import.
3. Select Import(Version-neutral) as the import mode.
4. Browse to the RSCDSECHF_LINPPC64LE.zip file.
5. Click Import.
6. Click Next and then click Finish to complete the wizard.
7. Run the Compliance Job with the Auto-discovery check box selected against the ppc64le platform to list the compliant and non-compliant servers.
8. If the Compliance Job identifies any non-compliant servers, run the Remediation Job to make them compliant.
9. Verify that Live Browse of Unix Groups and Unix Users displays all the required values from the compliant servers.

Applying the hotfix to the RSCD Agents installed on Application Servers and Repeaters

Depending on the platform, use the instructions described in one of the following tabs:

Windows
Linux

Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.
The extracted directory contains TSSA<version>-RSCDAgents.zip file and the Windows_Appserver directory.
Use one of the following methods to upgrade the RSCD Agent on the Windows Application Server or Windows Repeater:
- (Method 1) Create and run the Agent Installer Job. For more information, see Creating-an-agent-bundle and Creating-an-Agent-Installer-Job.
- (Method 2) Use one of the methods described in the following table:
  Method
  Reference (Windows)
  Interactive installation
  Upgrading-the-RSCD-agent-on-Windows
  Silent installation
  Silently-upgrading-Windows-agents
If you haven't applied the Rolling Update for version 21.3 already and you want support for Windows Server 2022, do the following steps:
1. Copy and extract the /tmp/RSCD_SecurityFixes_<version>_HF /Windows_Appserver/RU2.zip file to temporary directory (for example /tmp1) on the Application Server.
2. From the RU2 directory, execute the rollingUpdateInstaller.sh script by using the following command in shell terminal:
  nsh rollingUpdateInstaller.nsh
  The following message is displayed when the installation completes successfully and the logs also generated in same location:
  #### Rolling Update Completed Successfully ####
3. Repeat the steps a to c on every Application Server one by one.
  Warning
  Do not execute the steps on all Application Servers parallelly.
If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.

Method	Reference (Windows)
Interactive installation	Upgrading-the-RSCD-agent-on-Windows
Silent installation	Silently-upgrading-Windows-agents

Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.
The extracted directory contains TSSA<version>-RSCDAgents.zip file and the Linux_Appserver directory.
Do the following steps to upgrade the RSCD Agent on an Application Server:
1. Copy and extract the /tmp/RSCD_SecurityFixes_<version>_HF/Linux_Appserver/RU2.zip file to temporary directory (for example /tmp1) on the Application Server.
2. From the RU2 directory, execute the rollingUpdateInstaller.sh script by using the following command in shell terminal:
  sh rollingUpdateInstaller.sh
  The following message is displayed when the installation completes successfully and the logs also generated in same location.
  #### Rolling Update Completed Successfully ####
3. Repeat the steps a to c on every Application Server one by one.
  Warning
  Do not execute the steps on all Application Servers parallelly.
If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.

Replacing the Patch Downloader Utility for Microsoft Windows

If you haven't applied Rolling-Update-1-for-version-21-3 and planning to download Windows Server 2022 patches and bulletins, replace the existing utility with the utility bundled in the hotfix after you update the RSCD Agents.

Before you begin

Back up the configuration file that you had prepared for the existing utility.

To replace the existing utility

Extract RSCD_SecurityFixes_<version>_HF.zip to a temporary directory. The extracted directory contains the following files:
- Windows_Appserver\All-OS-Patch-Downloaders-linux-build-<version>.tar.gz
- Linux_Appserver\All-OS-Patch-Downloaders-windows-build-<version>.zip
Depending on the platform, extract the compressed files:
- (Windows) Extract the ZIP files using a file compression utility.
- (Linux) Run the following command: tar -xvf All-OS-Patch-Downloaders-<platform>-<build>-<version>.tar.gz
(Linux only) Grant the permission to modify the extracted files: chmod -R 777 All-OS-Patch-Downloaders-<platform>-<build>-<version>

Depending on the platform, use the instructions in the following topics to set up the utility.
While preparing the configuration file for a platform, use the backed up configuration file as a reference.

Platform	Topics
Linux	Patch Downloader utility for Oracle Solaris Patch Downloader utility for Red Hat Enterprise Linux Patch Downloader utility for SUSE Linux Enterprise Patch Downloader utility for Oracle Enterprise Linux Patch Downloader utility for Ubuntu and Debian Patch downloader utility for CentOS
Windows	Patch Downloader utility for Microsoft Windows

Add the following subscription tag in the sample-windows-downloader-config.xml file:
<subscription>
  <products>
    <include-product>
      <product-category>Microsoft Windows Server 2022</product-category>
      <product-category-language>English</product-category-language>
    </include-product>
  </products>
</subscription>
-Patch-Downloades-windows-build-21.3.00.zi