Skip to Content
Information
Important This space contains documentation for TrueSight Smart Reporting for Server Automation 20.02.01. For earlier releases, see TrueSight Smart Reporting for Sever Automation 19.2.

Mitigation for the Apache Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

BMC Software is alerting users to the Apache Log4j vulnerabilities that require immediate attention in version 20.02.01 of  TrueSight Server Automation - Data Warehouse.

If you have any questions about these vulnerabilities, contact Customer Support.

December 19, 2021

Last updated: February 22, 2022

Related topics

Flashes

Known-and-corrected-issues


Issue

A zero-day exploit for the following vulnerabilities was publicly released:

  • CVE-2021-44228 (code named Log4Shell) on December 9, 2021
  • CVE-2021-45046 on December 14, 2021
  • CVE-2021-4104 on December 14, 2021
  • CVE-2021-45105 on December 18, 2021
  • CVE-2021-44832 on December 28, 2021

A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities . Please follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue.

We recommend that you immediately apply the fix as described in this topic.

Resolution

Download the hotfix required for your platform from the Patches tab of the following EPD website page. You must provide your BMC Support credentials to access to the EPD website. You might also be prompted to complete the Export Compliance form.

Warning

Important

The existing file, TSSA-DW_LOG4J_<Version>_HF_v2.zip, which fixed CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, and CVE-2021-44832, has been removed from EPD due to the reference of an earlier vulnerable version of Log4j. Use the TSSA-DW_LOG4J_<Version>_HF_v3.zip to apply the hotfix to fix the vulnerabilities mentioned in the Issuesection.

You can apply this hotfix irrespective of whether or not you have applied the previous hotfix.


TrueSight Server Automation - Data Warehouse version

Platform

EPD download Link

Item name

File name

md5 Checksum

20.02.01

Windows, Linux

TrueSight Server Automation - Data Warehouse 20.02.01 Log4JShell Hotfix

TSSA-DW_LOG4J_<version>_HF_v3.zip

3906c81c93eb7b3be7446df2ec136bf1

To apply the hotfix in Windows

  1. Stop the BMC SARA Authentication service.
  2. Stop the TrueSight Server Automation - Data Warehouse Web Server service.
  3. Back up the following files outside the %BDS_HOME% directory:
    • %BDS_HOME%\FileRegistry.xml
    • %BDS_HOME%\br\stdlib\log4j-api-2.13.1.jar or log4j-api-2.16.0.jar
    • %BDS_HOME%\br\stdlib\log4j-core-2.13.1.jar or log4j-core-2.16.0.jar 
    • %BDS_HOME%\br\stdlib\log4j-api-2.13.1-1.5.6.jar or log4j-api-2.16.0-1.5.6.jar 
    • %BDS_HOME%\br\stdlib\log4j-core-2.13.1-1.5.6.jar or log4j-core-2.16.0-1.5.6.jar 
  4. Delete the following files:
    • %BDS_HOME%\br\stdlib\log4j-api-2.13.1.jar  or log4j-api-2.16.0.jar
    • %BDS_HOME%\br\stdlib\log4j-core-2.13.1.jar or log4j-core-2.16.0.jar
    • %BDS_HOME%\br\stdlib\log4j-api-2.13.1-1.5.6.jar or log4j-api-2.16.0-1.5.6.jar 
    • %BDS_HOME%\br\stdlib\log4j-core-2.13.1-1.5.6.jar or log4j-core-2.16.0-1.5..jar
  5. Copy and extract the Hotfix file (TSSA-DW_LOG4J_<version>_HF_v3.zip) to a temporary directory (for example, c:\temp).
  6. Copy the following files from the c:\temp\TSSA-DW_LOG4J_<version>_HF_v3 directory to the %BDS_HOME%\br\stdlib directory:
    • log4j-core-2.17.1.jar
    • log4j-api-2.17.1.jar
    • log4j-core-2.17.1-1.5.6.jar
    • log4j-api-2.17.1-1.5.6.jar
  7. Export the following Windows Registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\BMC\BMC Service Automation Reporting & Analytics\Authentication Server
  8. Open the exported Registry file with a text editor and replace the string, 2.13.1 or 2.16.0 with 2.17.1 and save the Registry file.
  9. Import the edited Registry file into the Windows Registry.
  10. Open the %BDS_HOME%\FileRegistry.xml file with a text editor and replace the string, 2.13.1 or 2.16.0 with 2.17.1 and save the file.
  11. Back up the following directories and files:
    • %BDS_HOME%\tomcat\webapps\tssa-dw
    • %BDS_HOME%\tomcat\webapps\tssa-dw.war
    • %BDS_HOME%\shared\ConfigurationManagement\libs\log4j-api.jar 
    • %BDS_HOME%\shared\ConfigurationManagement\libs\log4j-core.jar
    • %BDS_HOME%\UninstallTSSA-DW\uninstaller.jar
  12. Delete the following directories and files:
    • %BDS_HOME%\tomcat\webapps\tssa-dw
    • %BDS_HOME%\tomcat\webapps\tssa-dw.war
    • %BDS_HOME%\shared\ConfigurationManagement\libs\log4j-api.jar
    • %BDS_HOME%\shared\ConfigurationManagement\libs\log4j-core.jar
    • %BDS_HOME%\UninstallTSSA-DW\uninstaller.jar
  13. Copy the tssa-dw.war file from c:\temp\TSSA-DW_LOG4J_<Version>_HF_v3 to the %BDS_HOME%\tomcat\webapps directory.
  14. Copy the following files from c:\temp\TSSA-DW_LOG4J_<version>_HF_v3 to the %BDS_HOME%\shared\ConfigurationManagement\libs directory:
    • log4j-core.jar
    • log4j-api.jar
  15. Copy the uninstaller.jar file from c:\temp\TSSA-DW_LOG4J_<version>_HF_v3  to the %BDS_HOME%\UninstallTSSA-DW directory.
  16. Start the BMC SARA Authentication service.
  17. Start the TrueSight Server Automation - Data Warehouse Web Server service.

After you apply the hotfix in Windows

Verify whether the TrueSight Server Automation - Data Warehouse environment is running successfully, and then remove the old log4jxx-2.13.x or log4jxx-2.16.x related files and binaries from the backup folders.

To apply the hotfix in Linux

  1. From the command line, navigate to the $BDS_HOME directory, and stop the services by using the following command: ./blreports stop
  2. Copy and extract the Hotfix file (TSSA-DW_LOG4J_<version>_HF_v3.zip) to a temporary directory (for example, /tmp).
  3. Grant permissions to the extracted files in the previous step:    chmod -R 775 *
  4. Back up the following files:
    • $BDS_HOME/br/blasadmin
    • $BDS_HOME/br/blcred
    • $BDS_HOME/br/DeploymentXMLMigrator
    • $BDS_HOME/br/mkcertstore
    • $BDS_HOME/br/mkpkcs12
    • $BDS_HOME/br/blauthserv
    • $BDS_HOME/FileRegistry.xml
    • $BDS_HOME/br/stdlib/log4j-api-2.13.1-1.5.6.jar or log4j-api-2.16.0-1.5.6.jar
    • $BDS_HOME/br/stdlib/log4j-core-2.13.1-1.5.6.jar or log4j-core-2.16.0-1.5.6.jar
    • $BDS_HOME/br/stdlib/log4j-api-2.13.1.jar or log4j-api-2.16.0.jar 
    • $BDS_HOME/br/stdlib/log4j-core-2.13.1.jar or log4j-core-2.16.0.jar 
  5. Delete the following files:
    • $BDS_HOME/br/stdlib/log4j-api-2.13.1-1.5.6.jar or log4j-api-2.16.0-1.5.6.jar 
    • $BDS_HOME/br/stdlib/log4j-core-2.13.1-1.5.6.jar or log4j-core-2.16.0-1.5.6.jar
    • $BDS_HOME/br/stdlib/log4j-api-2.13.1.jar or log4j-api-2.16.0.jar 
    • $BDS_HOME/br/stdlib/log4j-core-2.13.1.jar or log4j-core-2.16.0.jar 
  6. Copy the following files from /tmp/TSSA-DW_LOG4J_<version>_HF_v3 to the $BDS_HOME/br/stdlib directory:
    • log4j-core-2.17.1.jar
    • log4j-api-2.17.1.jar
    • log4j-api-2.17.1-1.5.6
    • log4j-core-2.17.1-1.5.6
  7. Open the following files with a text editor and replace the string, 2.13.1 or 2.16.0 with 2.17.1 and save the files:
    • $BDS_HOME/br/blasadmin
    • $BDS_HOME/br/blcred
    • $BDS_HOME/br/DeploymentXMLMigrator
    • $BDS_HOME/br/mkcertstore
    • $BDS_HOME/br/mkpkcs12
    • $BDS_HOME/br/blauthserv
    • $BDS_HOME/FileRegistry.xml
  8. Back up the following directories and files:
    • $BDS_HOME/tomcat/webapps/tssa-dw
    • $BDS_HOME/tomcat/webapps/tssa-dw.war
    • $BDS_HOME/shared/ConfigurationManagement/libs/log4j-api.jar
    • $BDS_HOME/shared/ConfigurationManagement/libs/log4j-core.jar
    • $BDS_HOME/UninstallTSSA-DW/uninstaller.jar
  9. Delete the following directories and files:
    • $BDS_HOME/tomcat/webapps/tssa-dw
    • $BDS_HOME/tomcat/webapps/tssa-dw.war
    • $BDS_HOME/shared/ConfigurationManagement/libs/log4j-api.jar
    • $BDS_HOME/shared/ConfigurationManagement/libs/log4j-core.jar
    • $BDS_HOME/UninstallTSSA-DW/uninstaller.jar
  10. Copy the tssa-dw.war file from /tmp/TSSA-DW_LOG4J_<Version>_HF_v3 to the $BDS_HOME/tomcat/webapps directory.
  11. Copy the following files from /tmp/TSSA-DW_LOG4J_<version>_HF_v3 to the $BDS_HOME/shared/ConfigurationManagement/libs directory:
    • log4j-core.jar
    • log4j-api.jar
  12. Copy the uninstaller.jar file from /tmp/TSSA-DW_LOG4J_<version>_HF_v3 to the $BDS_HOME/UninstallTSSA-DW directory.
  13. Navigate to the $BDS_HOME directory, and start the services by using the following command: ./blreports start

After you apply the hotfix in Linux

Verify whether the TrueSight Server Automation - Data Warehouse environment is running successfully, and then remove the old log4jxx-2.13.x or log4jxx-2.16.x related files and binaries from the backup  folder.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Smart Reporting for Server Automation 20.02.01