Notification of RSCD Agent security issues in TrueSight Server Automation

BMC Software is alerting users to security issues in RSCD Agents on all the platforms of versions 21.02 and 21.02.01 of TrueSight Server Automation.

If you have any questions about the issue, contact  Customer Support.

Last updated: July 15, 2022

Related topics

Flashes

Known-and-corrected-issues

Issues

The following RSCD Agent security issues and other low severity issues have been addressed in this hotfix:

Severity

Affected RSCD Agents 

Issue

High 

Windows and UNIX RSCD Agents

Local privilege escalation

Medium 

Windows RSCD Agents

On a Windows domain controller, the BladeLogicRSCDDC user is assigned a default password.

We recommend that you immediately apply the hotfix as described in this topic.

Resolution

Download the hotfix required for your platform from the Patches tab of the following EPD website page and apply the hotfix. You must provide your BMC Support credentials to access the EPD website. You might also be prompted to complete the Export Compliance form.

Version

EPD Download Link

Item name

File name

md5 checksum

Build number

21.02

TSSA 21.02.00 Server Automation [x64] RSCD Agent Hotfix

RSCD_SecurityFixes_21-02_HF_V2.zip

82f41619e8f8045807dc7eb81ba322c1

21.02.00.169

21.02.01

TSSA 21.02.01 Server Automation [x64] RSCD Agent Hotfix

RSCD_SecurityFixes_21-02-01_HF_V2.zip

b596768a40dc10a4243db13226f7416f

21.02.01.224

Important

  • The existing file, RSCD_SecurityFixes_<version>HF.zip has been removed from EPD on July 15, 2022, and replaced with a new file, RSCD_SecurityFixes_<version>HF_V2.zip.
  • Ignore the new file if you have applied the earlier fix by using RSCD_SecurityFixes_<version>HF.zip and the build number is 21.02.00.169 (21.02) or 21.02.01.224 (21.02.01).

Applying the hotfix

Depending on your requirements, apply the hotfix as described in the following sections:

Applying the hotfix to the standalone RSCD Agents

Upgrade the standalone existing RSCD Agents or install them.

 Upgrading an existing RSCD Agent that is installed on a target server

Before you begin

Before upgrading an RSCD Agent on Windows domain controllers, ensure that the following prerequisites are met on each domain controller:

  • Change the BladeLogicRSCDDC password as per your company's password policies by using the chapw command. For instructions on changing the password, see Changing-the-BladeLogicRSCDDC-account-password-on-domain-controllers.
  • Ensure that Administrators do not have the Delete permission on the HKEY_LOCAL_MACHINE\SAM\SAM node in the Windows Registry. By default, Administrators have the Read Control and Write DAC registry access permissions.
    RegistrySAM.png


To upgrade an existing RSCD Agent that is installed on a target server

  1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.
    The extracted directory contains TSSA<version>-RSCDAgents.zip.
  2. Extract the TSSA<version>-RSCDAgents.zip file.
    The extracted directory contains the RSCD Agent installers (RSCD<version>-<platform>).
  3. Use one of the following methods to upgrade the RSCD Agent:
  4. If you have RSCD Agents on ppc64le platform, do the following steps:
    1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory on a target server or the server where the TrueSight Server Automation Console (RCP Client) is installed.
      The extracted directory contains the PPC64LE_CT directory, which contains the version-neutral RSCDSECHF_LINPPC64LE.zip component templates file.
    2. In the TrueSight Server Automation console, right-click Component Templates, and select Import.
    3. Select Import(Version-neutral) as the import mode. 
    4. Browse to the RSCDSECHF_LINPPC64LE.zip file.
    5. Click Import
    6. Click Next and then click Finish to complete the wizard.
    7. Run the Compliance Job with the Auto-discovery check box selected against the ppc64le platform to list the compliant and non-compliant servers.
    8. If the Compliance Job identifies any non-compliant servers, run the Remediation Job to make them compliant.
    9. Verify that Live Browse of Unix Groups and Unix Users displays all the required values from the compliant servers.
  5. If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.

 Installing (fresh) an RSCD Agent on a target server

  1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.
    The extracted directory contains TSSA<version>-RSCDAgents.zip.
  2. Extract the TSSA<version>-RSCDAgents.zip file.
    The extracted directory contains the RSCD Agent installers (RSCD<version>-<platform>).
  3. Use one of the following methods to upgrade the RSCD Agent:
  4. If you have RSCD Agents on ppc64le platform, do the following steps:
    1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory on a target server or the server where the TrueSight Server Automation Console (RCP Client) is installed.
      The extracted directory contains the PPC64LE_CT directory, which contains the version-neutral RSCDSECHF_LINPPC64LE.zip component templates file.
    2. In the TrueSight Server Automation console, right-click Component Templates, and select Import.
    3. Select Import(Version-neutral) as the import mode. 
    4. Browse to the RSCDSECHF_LINPPC64LE.zip file.
    5. Click Import
    6. Click Next and then click Finish to complete the wizard.
    7. Run the Compliance Job with the Auto-discovery check box selected against the ppc64le platform to list the compliant and non-compliant servers.
    8. If the Compliance Job identifies any non-compliant servers, run the Remediation Job to make them compliant.
    9. Verify that Live Browse of Unix Groups and Unix Users displays all the required values from the compliant servers.

Applying the hotfix to the RSCD Agents installed on Application Servers and Repeaters

Depending on the platform, use the instructions described in one of the following tabs:

  1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.
    The extracted directory contains TSSA<version>-RSCDAgents.zip file and the Windows_Appserver directory.
  2. Use one of the following methods to upgrade the RSCD Agent on the Windows Application Server or Windows Repeater:
  3. If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.
  1. Download and extract the RSCD_SecurityFixes_<version>_HF.zip file to a temporary directory.
    The extracted directory contains TSSA<version>-RSCDAgents.zip file and the Linux_Appserver directory.
  2. Do the following steps to upgrade the RSCD Agent on an Application Server:
    1. Copy and extract the /tmp/RSCD_SecurityFixes_<version>_HF/Linux_Appserver/RU2.zip file to temporary directory (for example /tmp1) on the Application Server.

    2. From the RU2 directory, execute the rollingUpdateInstaller.sh script by using the following command in shell terminal:

      sh rollingUpdateInstaller.sh

      The following message is displayed when the installation completes successfully and the logs also generated in same location.

      #### Rolling Update Completed Successfully #### 

    3. Repeat the steps a to c on every Application Server one by one.

      Warning

      Do not execute the steps on all Application Servers parallelly.

  3. If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*