Skip to Content

Mitigation for the Apache Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046

BMC Software is alerting users to the Apache Log4j vulnerabilities that require immediate attention in version 21.3 of TrueSight Server Automation - Data Warehouse.

If you have any questions about the issue, contact Customer Support.

December 19, 2021

Last updated: February 22, 2022

Related topics

Flashes

Known-and-corrected-issues


Issue

A zero-day exploit for the following vulnerabilities was publicly released:

  • CVE-2021-44228 (code named Log4Shell) on December 9, 2021
  • CVE-2021-45046 on December 14, 2021
  • CVE-2021-4104 on December 14, 2021
  • CVE-2021-45105 on December 18, 2021
  • CVE-2021-44832 on December 28, 2021

A detailed description of the vulnerabilities can be found here: Apache Log4j Security Vulnerabilities . Please follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue.

We recommend that you immediately apply the fix as described in this topic.

Resolution

Download the hotfix required for your platform from the Patches tab of the following EPD website page. You must provide your BMC Support credentials to access to the EPD website. You might also be prompted to complete the Export Compliance form.

Warning

Important

The existing file, TSSA-DW_LOG4J_<Version>_HF_v2.zip, which fixed CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2021-45105, and CVE-2021-44832, has been removed from EPD due to the reference of an earlier vulnerable version of Log4j. Use the TSSA-DW_LOG4J_<Version>_HF_v3.zip to apply the hotfix to fix the vulnerabilities mentioned in the Issuesection.

You can apply this hotfix irrespective of whether or not you have applied the previous hotfix.


Version

Platform

EPD download Link

Item name

File name

md5 checksum

21.3

Windows, Linux

TrueSight Server Automation - Data Warehouse 21.3.00 Log4JShell Hotfix

TSSA-DW_LOG4J_<Version>_HF_v3.zip

ec1962d9062297b2c3e930197ce8e66d

To apply the hotfix in Windows

  1. Stop the BMC SARA Authentication service.
  2. Stop the TrueSight Server Automation - Data Warehouse Web Server service.
  3. Back up the following files:
    • %BDS_HOME%\FileRegistry.xml
    • %BDS_HOME%\br\stdlib\log4j-1.2-api-2.13.1.jar or log4j-1.2-api-2.16.0.jar
    • %BDS_HOME%\br\stdlib\log4j-api-2.13.1.jar or log4j-api-2.16.0.jar
    • %BDS_HOME%\br\stdlib\log4j-core-2.13.1.jar or log4j-core-2.16.0.jar
  4. Delete the following files:
    • %BDS_HOME%\br\stdlib\log4j-1.2-api-2.13.1.jar or log4j-1.2-api-2.16.0.jar
    • %BDS_HOME%\br\stdlib\log4j-api-2.13.1.jar or log4j-api-2.16.0.jar
    • %BDS_HOME%\br\stdlib\log4j-core-2.13.1.jar or log4j-core-2.16.0.jar
  5. Copy and extract the hotfix file (TSSA-DW_LOG4J_<Version>_HF_v3.zip) to a temporary directory (for example, c:\temp).
  6. Copy the following files from c:\temp\TSSA-DW_LOG4J_<Version>_HF_v3 to the %BDS_HOME%\br\stdlib directory:
    • log4j-core-2.17.1.jar
    • log4j-api-2.17.1.jar
    • log4j-1.2-api-2.17.1.jar
  7. Export the following Windows Registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\BMC\BMC Service Automation Reporting & Analytics\Authentication Server
  8. Open the exported Registry file with a text editor and replace the string, 2.13.1 or 2.16.0 with 2.17.1 and save the Registry file.
  9. Import the edited Registry file back into the Windows Registry.
  10. Open the %BDS_HOME%\FileRegistry.xml file with a text editor, and replace the string, 2.13.1 or 2.16.0  with 2.17.1 and save the file.
  11. Back up the following directories and files:
    • %BDS_HOME%\tomcat\webapps\tssa-dw
    • %BDS_HOME%\tomcat\webapps\tssa-dw.war
    • %BDS_HOME%\shared\ConfigurationManagement\libs\log4j-api.jar
    • %BDS_HOME%\shared\ConfigurationManagement\libs\log4j-core.jar
    • %BDS_HOME%\UninstallTSSA-DW\uninstaller.jar
  12. Delete the following directories and files:
    • %BDS_HOME%\tomcat\webapps\tssa-dw
    • %BDS_HOME%\tomcat\webapps\tssa-dw.war
    • %BDS_HOME%\shared\ConfigurationManagement\libs\log4j-api.jar
    • %BDS_HOME%\shared\ConfigurationManagement\libs\log4j-core.jar
    • %BDS_HOME%\UninstallTSSA-DW\uninstaller.jar
  13. Copy the tssa-dw.war file from c:\temp\TSSA-DW_LOG4J_<Version>_HF_v3 to the %BDS_HOME%\tomcat\webapps directory.
  14. Copy the following files from c:\temp\TSSA-DW_LOG4J_<Version>_HF_v3 to the %BDS_HOME%\shared\ConfigurationManagement\libs directory:
    • log4j-core.jar
    • log4j-api.jar
  15. Copy the uninstaller.jar file from c:\temp to the %BDS_HOME%\UninstallTSSA-DW directory.
  16. Start the BMC SARA Authentication service.
  17. Start the TrueSight Server Automation - Data Warehouse Web Server service.

After you apply the hotfix in Windows

Verify whether the system is running successfully and then, remove the old log4jxx-2.13.x or log4jxx-2.16.x  related files and binaries from the backup folder to avoid any issues.

To apply the hotfix in Linux

  1. From the command line, navigate to the $BDS_HOME directory, and stop the services by using the following command: ./blreports stop
  2. Copy and extract the Hotfix file (TSSA-DW_LOG4J_<Version>_HF_v3.zip) to a temporary directory (for example, /tmp). 
  3. Grant permissions to the extracted files in the previous step:    chmod -R 775 *
  4. Back up the following files:
    • $BDS_HOME/br/blasadmin
    • $BDS_HOME/br/blcred
    • $BDS_HOME/br/DeploymentXMLMigrator
    • $BDS_HOME/br/mkcertstore
    • $BDS_HOME/br/mkpkcs12
    • $BDS_HOME/br/blauthserv
    • $BDS_HOME/FileRegistry.xml
    • $BDS_HOME/br/stdlib/log4j-1.2-api-2.13.1.jar or log4j-1.2-api-2.16.0.jar
    • $BDS_HOME/br/stdlib/log4j-api-2.13.1.jar or log4j-api-2.16.0.jar
    • $BDS_HOME/br/stdlib/log4j-core-2.13.1.jar or log4j-core-2.16.0.jar
  5. Delete the following files:
    • $BDS_HOME/br/stdlib/log4j-1.2-api-2.13.1.jar or log4j-1.2-api-2.16.0.jar
    • $BDS_HOME/br/stdlib/log4j-api-2.13.1.jar or log4j-api-2.16.0.jar
    • $BDS_HOME/br/stdlib/log4j-core-2.13.1.jar or log4j-core-2.16.0.jar
  6. Copy the following files from /tmp/TSSA-DW_LOG4J_<Version>_HF_v3 to the $BDS_HOME/br/stdlib directory:
    • log4j-core-2.17.1.jar
    • log4j-api-2.17.1.jar
    • log4j-1.2-api-2.17.1.jar
  7. Open the following files with a text editor, and replace the string, 2.13.1 or 2.16.0 with 2.17.1 and save the files:
    • $BDS_HOME/br/blasadmin
    • $BDS_HOME/br/blcred
    • $BDS_HOME/br/DeploymentXMLMigrator
    • $BDS_HOME/br/mkcertstore
    • $BDS_HOME/br/mkpkcs12
    • $BDS_HOME/br/blauthserv
    • $BDS_HOME/FileRegistry.xml
  8. Back up the following directories and files:
    • $BDS_HOME/tomcat/webapps/tssa-dw
    • $BDS_HOME/tomcat/webapps/tssa-dw.war
    • $BDS_HOME/shared/ConfigurationManagement/libs/ log4j-api.jar
    • $BDS_HOME/shared/ConfigurationManagement/libs/ log4j-core.jar
    • $BDS_HOME/UninstallTSSA-DW/uninstaller.jar
  9. Delete the following directories and files:
    • $BDS_HOME/tomcat/webapps/tssa-dw
    • $BDS_HOME/tomcat/webapps/tssa-dw.war
    • $BDS_HOME/shared/ConfigurationManagement/libs/log4j-api.jar
    • $BDS_HOME/shared/ConfigurationManagement/libs/log4j-core.jar
    • $BDS_HOME/UninstallTSSA-DW/uninstaller.jar
  10. Copy the tssa-dw.war file from /tmp/TSSA-DW_LOG4J_<Version>_HF_v3 to the $BDS_HOME/tomcat/webapps directory:
  11. Copy the following files from /tmp/TSSA-DW_LOG4J_<Version>_HF_v3 to the $BDS_HOME/shared/ConfigurationManagement/libs directory:
    • log4j-core.jar
    • log4j-api.jar
  12. Copy the uninstaller.jar file from /tmp/TSSA-DW_LOG4J_<Version>_HF_v3  to the $BDS_HOME/UninstallTSSA-DW directory.
  13. Navigate to the $BDS_HOME directory, and start the services by using the following command: ./blreports start

After you apply the hotfix in Linux

Verify whether the system is running successfully and then, remove the old log4jxx-2.13.x or log4jxx-2.16.x related files and binaries from the backup folders.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Smart Reporting for Server Automation 21.3