RSCD Agent security vulnerability R2

BMC Software is alerting users to security vulnerabilities in RSCD Agents on all the platforms of versions 21.3 of TrueSight Server Automation.

If you have any questions about these vulnerabilities, contact Customer Support.

December 5, 2022

Issues

The following RSCD Agent security vulnerabilities have been addressed in this hotfix:

Severity	Affected RSCD Agents	Issues
High	Windows and UNIX RSCD Agents	CVE-2016-5063 (published on May 2, 2017) CVE-2016-1543 (published on June 13, 2016) CVE-2016-1542 (published on June 13, 2016) These previously fixed vulnerabilities got reintroduced in the product version 21.3. This hotfix provides a fix for them.

We recommend that you immediately apply the hotfix as described in this topic.

Resolution

Download the hotfix required for your platform from the Patches tab of the following EPD website page and apply the hotfix. You must provide your BMC Support credentials to access the EPD website. You might also be prompted to complete the Export Compliance form.

EPD Download Link	Item name	File name	md5 checksum	Build number
TrueSight Server Automation 21.3	TSSA 21.3.00 Server Automation [x64] RSCD Agent Hotfix 2	RSCD_SecurityFixes_21-3_HF2_V1.zip	3cb359c974a0947940d874139194ecd7	21.3.00.65

Important

When you apply this hotfix, the following files are replaced:

bladelogic_infra.jar
bladelogic_patch.jar
support-files-1.0-SNAPSHOT.jar

If you have applied any other RU or hotfix to your existing environment, contact BMC Customer Support before you apply the current hotfix.

Applying the hotfix

Depending on your requirements, apply the hotfix as described in the following sections:

Applying the hotfix to the standalone RSCD Agents

Upgrade the standalone existing RSCD Agents or install them.

Upgrading an existing RSCD Agent that is installed on a target server

Download and extract the RSCD_SecurityFixes_<version>_HF2_V1.zip file to a temporary directory.
The extracted directory contains the TSSA<version>-RSCDAgents.zip file.
Extract the TSSA<version>-RSCDAgents.zip file.
The extracted directory contains the RSCD Agent installers (RSCD<version>-<platform>).

Use one of the following methods to upgrade the RSCD Agent:

(Method 1) Create and run the Agent Installer Job. For more information, see Creating-an-agent-bundle and Creating-an-Agent-Installer-Job.

(Method 2) Use one of the methods described in the following table:

Method	Reference (Windows)	Reference (Linux/Unix)
Interactive installation	Upgrading-the-RSCD-agent-on-Windows	Upgrading-the-RSCD-agent-on-Linux-and-UNIX
Silent installation	Silently-upgrading-Windows-agents	Silently-upgrading-Linux-and-UNIX-agents Using-silent-mode-to-upgrade-components-on-Linux-or-UNIX Upgrading-NSH-and-the-RSCD-agent-using-the-Solaris-SVR4-package-installer Upgrading-the-Network-Shell-or-the-RSCD-agent-using-RPM

If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.

Installing (fresh) an RSCD Agent on a target server

Download and extract the RSCD_SecurityFixes_<version>_HF2_V1.zip file to a temporary directory.
The extracted directory contains TSSA<version>-RSCDAgents.zip.
Extract the TSSA<version>-RSCDAgents.zip file.
The extracted directory contains the RSCD Agent installers (RSCD<version>-<platform>).

Use one of the following methods to install the RSCD Agent:

(Method 1) Create and run the Agent Installer Job. For more information, see Creating-an-agent-bundle and Creating-an-Agent-Installer-Job.

(Method 2) Use one of the methods described in the following table:

Method	Reference (Windows)	Reference (Linux/Unix)
Interactive installation	Installing-the-RSCD-agent-Windows (Required only when installing the RSCD Agent on a domain controller) During installation, provide password (mandatory) for the BladeLogicRSCDDC user.	Installing-only-the-RSCD-agent-Linux-and-UNIX
Silent installation	Using-silent-mode-to-install-an-RSCD-agent-Windows (Required only when installing the RSCD Agent on a domain controller) During installation, provide password (mandatory) for the BladeLogicRSCDDC user by using the following command: msiexec /I RSCD.msi <Existing options> BLADELOGICDCUSERPASSWORD=<password>	Using-silent-mode-to-install-the-RSCD-agent-Linux-and-UNIX

Applying the hotfix to the RSCD Agents installed on Application Servers and Repeaters

Depending on the platform, use the instructions described in one of the following tabs:

Windows
Linux

Download and extract the RSCD_SecurityFixes_<version>_HF2_V1.zip file to a temporary directory.
The extracted directory contains TSSA<version>-RSCDAgents.zip.
Extract the TSSA<version>-RSCDAgents.zip file.
The extracted directory contains the RSCD Agent installers ( TSSA<version>-RSCDAgents/ rscd/windows_64).
Use one of the following methods to upgrade the RSCD Agent on the Windows Application Server or Windows Repeater:
- (Method 1) Create and run the Agent Installer Job. For more information, see Creating-an-agent-bundle and Creating-an-Agent-Installer-Job.
- (Method 2) Use one of the methods described in the following table:
  Method
  Reference (Windows)
  Interactive installation
  Upgrading-the-RSCD-agent-on-Windows
  Silent installation
  Silently-upgrading-Windows-agents
If you haven't applied the Rolling Update 2 for version 21.3 already and you want support for Windows Server 2022, do the following steps:
1. Copy and extract the /tmp/RSCD_SecurityFixes_<version>_HF /Windows_Appserver/ RU3.zip file to temporary directory (for example /tmp1) on the Application Server.
2. From the RU3 directory, execute the rollingUpdateInstaller.sh script by using the following command in shell terminal:
  nsh rollingUpdateInstaller.nsh
  The following message is displayed when the installation completes successfully and the logs also generated in same location:
  #### Rolling Update Completed Successfully ####
3. Repeat the steps a to c on every Application Server one by one.
  Error
  Warning
  Do not execute the steps on all Application Servers parallelly.
Validate the RSCD Agent version in the TSSA_INSTALL_DIR/Version file. Modify the version to 21.3.00.65 if it not updated.
If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.

Method	Reference (Windows)
Interactive installation	Upgrading-the-RSCD-agent-on-Windows
Silent installation	Silently-upgrading-Windows-agents

Download and extract the RSCD_SecurityFixes_<version>_HF2_V1.zip file to a temporary directory.
The extracted directory contains TSSA<version>-RSCDAgents.zip file and the Linux_Appserver_NSH directory.
Do the following steps to upgrade the RSCD Agent on an Application Server:
1. Copy and extract the /tmp/RSCD_SecurityFixes_<version>_HF2_V1 /Linux_Appserver_NSH/ RU3.zip file to temporary directory (for example /tmp1) on the Application Server.
2. From the RU3 directory, execute the rollingUpdateInstaller.sh script by using the following command in shell terminal:
  sh rollingUpdateInstaller.sh
  The following message is displayed when the installation completes successfully and the logs also generated in same location.
  #### Rolling Update Completed Successfully ####
3. Repeat the steps a to c on every Application Server one by one.
  Error
  Warning
  Do not execute the steps on all Application Servers parallelly.
If any of the Configuration Objects (COs) are missing after upgrade, distribute the COs again. For more information, see Creating-or-modifying-Distribute-Configuration-Objects-Jobs.

Replacing the Patch Downloader Utility for Microsoft Windows

If you haven't applied Rolling Update 2 for version 21.3 and planning to download Windows Server 2022 patches and bulletins, replace the existing utility with the utility bundled in the hotfix after you update the RSCD Agents.

Before you begin

Back up the configuration file that you had prepared for the existing utility.

To replace the existing utility

Extract RSCD_SecurityFixes_<version>_HF2_V1.zip to a temporary directory. The extracted directory contains the following files:
- Windows_Appserver\All-OS-Patch-Downloaders-windows-<build>-<version>.zip
- Linux_Appserver_NSH\All-OS-Patch-Downloaders-linux-<build>-<version>.tar.gz
Depending on the platform, extract the compressed files:
- (Windows) Extract the ZIP files using a file compression utility.
- (Linux) Run the following command: tar -xvf All-OS-Patch-Downloaders-<platform>-<build>-<version>.tar.gz
(Linux only) Grant the permission to modify the extracted files: chmod -R 777 All-OS-Patch-Downloaders-<platform>-<build>-<version>

Depending on the platform, use the instructions in the following topics to set up the utility.
While preparing the configuration file for a platform, use the backed up configuration file as a reference.

Platform	Topics
Linux	Patch-Downloader-utility-for-Oracle-Solaris Patch-Downloader-utility-for-Red-Hat-Enterprise-Linux Patch-Downloader-utility-for-SUSE-Linux-Enterprise Patch-Downloader-utility-for-Oracle-Enterprise-Linux Patch-Downloader-utility-for-Ubuntu-and-Debian Patch-downloader-utility-for-rpmLinux
Windows	Patch-Downloader-utility-for-Microsoft-Windows

Add the following subscription tag in the sample-windows-downloader-config.xml file:
<subscription>
  <products>
    <include-product>
      <product-category>Microsoft Windows Server 2022</product-category>
      <product-category-language>English</product-category-language>
    </include-product>
  </products>
</subscription>
-Patch-Downloades-windows-build-21.3.00.zi