Skip to Content
Information
Space banner This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Mitigating the Apache Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105

BMC Software is alerting users to the Log4j vulnerabilities that require immediate attention in versions 20.02, 20.02.01, 20.02.02, and 20.02.03 of TrueSight Network Automation.

If you have any questions about the issue, contact Customer Support.

December 23, 2021


Issue

A zero-day exploit for the following vulnerabilities was publicly released: 

  • CVE-2021-44228 (code named Log4Shell) on December 9th, 2021
  • CVE-2021-45046 on December 14th, 2021
  • CVE-2021-45105 on December 18th, 2021

A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities.

Please follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue.

Resolution

To mitigate the vulnerabilities, download the hotfix required for your platform from the Patches tab of the following EPD website page and apply the hotfix using the instructions provided in the procedures below. Access to the EPD website requires that you provide your BMC Support credentials. You might also be prompted to complete the Export Compliance Form.

Version

Component

EPD download Link

Item name

File name

sha256 checksum

20.02.00

Application Server, Remote Device Agent


TrueSight Network Automation 20.02.00 (64-bit) Log4J Hotfix Version 1

tsna-20.02.00-hotfix48.zip

91475a8e37a3832094c5b675a5d88164e2c78c9fa4ff5d1044a9e2f97145bff0


Multi-Server Administration


TrueSight Network Automation - Multi-Server Administration 20.02.00 (64-bit) Log4J Hotfix Version 1

msa-20.02.00-hotfix.zip

b3d8973c5156edcc1e599465a1533a2386f390154b4c95969f774ee3c64db3be

20.02.01

Application Server, Remote Device Agent


TrueSight Network Automation 20.02.01 (64-bit) Log4J Hotfix Version 1

tsna-20.02.01-hotfix18.zip

c6b33c239fc0355f25f994b74fd0e8a80290b093d4f9b8afab10e5786ab9067a


Multi-Server Administration


TrueSight Network Automation - Multi-Server Administration 20.02.01 (64-bit) Log4J Hotfix Version 1

msa-20.02.01-hotfix.zip

d378d929d5094d5fbcb4d6fe20b8123e4c873c634b96575449e26bb0cf4c4cc2

20.02.02

Application Server, Remote Device Agent


TrueSight Network Automation 20.02.02 (64-bit) Log4J Hotfix Version 1

tsna-20.02.02-hotfix21.zip

efd5aa7684b106b5079362b2a43123ac86f7b985b85bf5b52184ac119c48f4f0


Multi-Server Administration


TrueSight Network Automation - Multi-Server Administration 20.02.02 (64-bit) Log4J Hotfix Version 1

msa-20.02.02-hotfix.zip

719682e0d275cc76a0715354093016916426d6af107d2db38982896440783c48

20.02.03

Application Server, Remote Device Agent


TrueSight Network Automation 20.02.03 (64-bit) Log4J Hotfix Version 1

tsna-20.02.03-hotfix6.zip

fbdaa4382c8ab72ce3f1b9aa8191047d3040b0ad10bc6a175ff41b5994acb0f1


Multi-Server Administration


TrueSight Network Automation - Multi-Server Administration 20.02.03 (64-bit) Log4J Hotfix Version 1

msa-20.02.03-hotfix.zip

01447ade5d4883dd7f1acffcc108aaefa25018061d30c784385541f7eefd977f

Applying the hotfix on Windows

Apply the hotfix in the following sequence:

  1. TrueSight Network Automation application server
  2. TrueSight Network Automation remote device agent
  3. TrueSight Network Automation Multi-Server Administration

Step 1: Applying the hotfix on the application server (Windows)

Use the instructions in this section to apply the hotfix on the application server. 

Before you begin

Before you start applying the hotfix, do the following:

  1. Backup the TrueSight Network Automation database.
  2. Back up the <BCAN_HOME>\tomcat\webapps\bca-networks.war file outside the <BCAN_HOME>\tomcat\webapps directory.
  3. Back up the <BCAN_HOME>\public\bmc\bca-networks\extras\bcan-eol-external-utility-<version>.zip outside the <BCAN_HOME> directory.
  4. Back up the <BCAN_DATA>\endorsed directory outside the <BCAN_DATA> directory, and delete the contents of the eol, vm, and vsg directories present in the existing endorsed directory.
  5. Extract tsna-<version>-hotfix<number>.zip to a temporary directory on the application server (for example, c:\temp).

To apply the hotfix on the application server

  1. Copy the unzipped war file, bca-networks.war from c:\temp\tsna-<version>-hotfix<number> to the application server.
  2. Stop the TrueSight Network Automation web server service.
  3. Replace the unzipped bca-networks.war file in the <BCAN_HOME>\tomcat\webapps directory with the bca-networks.war file in the c:\temp\tsna-<version>-hotfix<number> directory.
  4. Delete the existing bca-networks directory from the <BCAN_HOME>\tomcat\webapps directory.
    This directory will be recreated after you restart the TrueSight Network Automation web server service in step 9.
  5. Navigate to the <BCAN_HOME>\tools directory and run the following script: upgrade_db.bat
  6. Copy and extract the eol, vm, and vsg utility files:
    1. Copy and extract the bcan-eol-utility-<version>.zip file from c:\temp\tsna-<version>-hotfix<number> under the <BCAN_DATA>\endorsed\eol directory.
    2. Copy and extract the bcan-vm-utility-<version>.zip file from c:\temp\tsna-<version>-hotfix<number> under the <BCAN_DATA>\endorsed\vm directory.
    3. Copy and extract the bcan-vsg-utility-<version>.zip file from c:\temp\tsna-<version>-hotfix<number> under the <BCAN_DATA>\endorsed\vsg directory.
  7. Replace the <BCAN_HOME>\public\bmc\bca-networks\extras\bcan-eol-external-utility-<version>.zip file with the c:\temp\tsna-<version>-hotfix<number>\bcan-eol-external-utility-<version>.zip file.
  8. Copy the *.[bat|sh] file from the backed up endorsed directory to the eol, vm, and vsg directories that you extracted in step 6.
  9. Start the TrueSight Network Automation web server service.

Step 2: Applying the hotfix on a remote device agent (Windows)

Use the instructions in this section to apply the hotfix on a remote device agent. 

To apply the hotfix on a remote decide agent

  1. Stop the BCA-Networks Agent service on the remote device agent.
  2. (Applicable only for version 20.02.00, for other versions skip to step 3) Replace the bcan-shared-20.02.00-SNAPSHOT.jar on the remote device agent with the file from the application server:
    1. On the remote device agent computer, navigate to the <BCAN_AGENT>\installed\lib directory, and rename the bcan-shared-20.02.00.jar file to bcan-shared-20.02.00.jar.ORIG and move the renamed file outside of the <BCAN_AGENT>\installed\lib directory.
    2. On the application server, navigate to the <BCAN_HOME>\tomcat\webapps\bca-networks\WEB-INF\lib directory, and copy the bcan-shared-20.02.00-SNAPSHOT.jar file.
    3. On the remote device agent computer, navigate to the <BCAN_AGENT>\installed\lib directory and paste the bcan-shared-20.02.00-SNAPSHOT.jar file that you copied in step 2(b).
    4. Rename bcan-shared-20.02.00-SNAPSHOT.jar to bcan-shared-20.02.00.jar.
  3. Navigate to the <BCAN_AGENT>\imported\lib directory and delete the log4j-core-2.xx.x.jar and log4j-api-2.xx.x.jar files.
  4. Start the BCA-Networks Agent service.
  5. Log in to the TrueSight Network Automation console, and click Admin > Network Admin > Device Agents.
  6. Disable the remote device agent by clearing the checkbox for it and then select the checkbox again to enable it.
  7. Once the status of the remote device agent changes to Ready, verify that the log4j-api-2.17.0.jar and log4j-core-2.17.0.jar files are present in the <BCAN_AGENT_DIR>\imported\lib directory.

Step 3: Applying the hotfix on Multi-Server Administration (Windows)

Use the instructions in this section to apply the hotfix on Multi-Server Administration.

Before you begin

  1. Navigate to the <MSA_HOME>\tomcat\webapps directory and backup the bca-networks-msa.war file outside the <MSA_HOME> directory.
  2. Extract the tsna-<version>-hotfix<number>.zip to a temporary directory on the Multi-Server Administration server (for example, c:\temp). The extracted directory contains the msa-<version>-hotfix.zip file.

To apply the hotfix on Multi-Server Administration

  1. Extract the msa-<version>-hotfix.zip file to the c:\temp\tsna-<version>-hotfix<number> directory on the Multi-Server Administration server.
  2. Stop the TrueSight Network Automation – Multi-Server Administration Web Server service.
  3. From the existing <MSA_HOME>\tomcat\webapps directory, delete the bca-networks-msa.war file and the bca-networks-msa directory.
    The bca-networks-msa directory will be created again when you restart the service in step 5.
  1. Copy the bca-networks-msa.war file from the c:\temp\tsna-<version>-hotfix<number>\msa-<version>-hotfix directory to the <MSA_HOME>\tomcat\webapps directory.
  2. Start the TrueSight Network Automation – Multi-Server Administration Web Server service.

Applying the hotfix on Linux

Apply the hotfix in the following sequence:

  1. TrueSight Network Automation Application server
  2. TrueSight Network Automation remote device agent
  3. TrueSight Network Automation Multi-Server Administration
Warning

IMPORTANT

In the following procedures, when you replace a file or directory, ensure that the permissions and ownership on the replaced file or directory are the same as the original file or directory.

Step 1: Applying the hotfix on the application server on (Linux)

Use the instructions in this section to apply the hotfix on the application server. 

Before you begin

Before you apply the hotfix, do the following:

  1. Backup the TrueSight Network Automation database.
  2. Navigate to the <BCAN_HOME>/tomcat/webapps directory and create a copy of the bca-networks.war file by using the following command:
    cp bca-networks.war bcan-networks.war.ORIG
  3. Move the bcan-networks.war.ORIG file outside the <BCAN_HOME>/tomcat/webapps directory.
  4. Back up the <BCAN_HOME>/public/bmc/bca-networks/extras/bcan-eol-external-utility-<version>.zip outside the <BCAN_HOME> directory.
  5. Back up the <BCAN_DATA>/endorsed directory to outside the <BCAN_DATA> directory, and delete the contents of the eol, vm, and vsg directories present in the existing endorsed directory.
  6. Extract the tsna-<version>-hotfix<number>.zip to a temporary directory on the application server (for example, /tmp).

To apply the hotfix on the application server

  1. Copy the unzipped war file, bca-networks.war from /tmp/tsna-<version>-hotfix<version> to the application server.
  2. Run the following command to stop the TrueSight Network Automation web server service: /etc/init.d/enatomcat stop
  3. Copy the bca-networks.war file from the /tmp/tsna-<version>-hotfix<number> directory to the <BCAN_HOME>/tomcat/webapps directory.
  4. Delete the existing bca-networks directory from the <BCAN_HOME>/tomcat/webapps directory.
    This directory will be recreated after you restart the TrueSight Network Automation web server service in step 9.
  5. Navigate to the <BCAN_HOME>/tools directory and run the following script: upgrade_db.sh
  6. Copy and extract the eol, vm, and vsg utility files:
    1. Copy and extract the bcan-eol-utility-<version>.zip file from tmp/tsna-<version>-hotfix<number> under the <BCAN_DATA>/endorsed/eol directory.
    2. Copy and extract the bcan-vm-utility-<version>.zip file from tmp/tsna-<version>-hotfix<number> under the <BCAN_DATA>/endorsed/vm directory.
    3. Copy and extract the bcan-vsg-utility-<version>.zip file from tmp/tsna-<version>-hotfix<number> under the <BCAN_DATA>/endorsed/vsg directory.
  7. Replace the <BCAN_HOME>/public/bmc/bca-networks/extras/bcan-eol-external-utility-<version>.zip file with the /tmp/tsna-<version>-hotfix<number>/bcan-eol-external-utility-<version>.zip file.
  8. Copy the *.[bat|sh] file from the backed up endorsed directory to the eol, vm, and vsg directories that you extracted in the step 6.
  9. Run the following command to start the TrueSight Network Automation web server service: /etc/init.d/enatomcat start

Step 2: Applying the hotfix on a remote device agent (Linux)

Use the instructions in this section to apply the hotfix on a remote device agent.

To apply the hotfix on a remote decide agent

  1. Run the following command to stop the BCA-Networks Agent service service: /etc/init.d/bcanagent stop
  2. (Applicable only for version 20.02.00, for other versions skip to step 3) Replace the bcan-shared-20.02.00-SNAPSHOT.jar on the remote device agent with the file from the application server:
    1. On the remote device agent computer, navigate to the <BCAN_AGENT>/installed/lib directory, and rename the bcan-shared-20.02.00.jar file to bcan-shared-20.02.00.jar.ORIG and move the renamed file outside the <BCAN_AGENT>/installed/lib directory.
    2. On the application server, navigate to the <BCAN_HOME>/tomcat/webapps/bca-networks/WEB-INF/lib directory, and copy the bcan-shared-20.02.00-SNAPSHOT.jar file.
    3. On the remote device agent computer, navigate to the <BCAN_AGENT>/installed/lib directory and paste the bcan-shared-20.02.00-SNAPSHOT.jar file that you copied in step 2(b).
    4. Rename the bcan-shared-20.02.00-SNAPSHOT.jar to bcan-shared-20.02.00.jar.
  3. Navigate to the <BCAN_AGENT>/imported/lib directory and delete the log4j-core-2.xx.x.jar and log4j-api-2.xx.x.jar files.
  4. Run the following command to start the BCA-Networks Agent service service: /etc/init.d/bcanagent start
  5. Log in to the TrueSight Network Automation console, and click Admin > Network Admin > Device Agents.
  6. Disable the remote device agent by clearing the check box for it and then select the check box again to enable it.
  7. Once the status of the remote device agent changes to Ready, verify that the log4j-api-2.17.0.jar and log4j-core-2.17.0.jar files are present in the <BCAN_AGENT>/imported/lib directory.

Step 3: Applying the hotfix on Multi-Server Administration (Linux)

Use the instructions in this section to apply the hotfix on Multi-Server Administration. 

Before you begin

  1. Navigate to the <MSA_HOME>/tomcat/webapps directory and backup the bca-networks-msa.war file outside the <MSA_HOME> directory.
  2. Extract the msa-<version>-hotfix.zip to a temporary directory on the Multi-Server Administration server (for example, /tmp).

To apply the hotfix on Multi-Server Administration

  1. Run the following command to stop the TrueSight Network Automation – Multi-Server Administration Web Server service: /etc/init.d/msatomcat stop
  2. From the existing <MSA_HOME>/tomcat/webapps directory, delete the bca-networks-msa.war file and the bca-networks-msa directory.
    The bca-networks-msa directory will be created again when you restart the service in step 5.
  3. Copy the bca-networks-msa.war file from the tmp/hotfix<number>/msa-<version>-hotfix directory to the <MSA_HOME>/tomcat/webapps directory.
  4. Run the following command to start the TrueSight Network Automation – Multi-Server Administration Web Server service: /etc/init.d/msatomcat start

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Network Automation 20.02