Skip to Content

Workaround available for Apache Log4Shell security vulnerability for CVE-2021-44228 and CVE-2021-45046

BMC Software is alerting users to the Apache Log4j vulnerabilities that require immediate attention in BMC Helix ITSM: Smart Reporting version 20.02.02.

If you have any questions about the problem, contact BMC Support.

A zero-day exploit for the following vulnerabilities was publicly released: 

  • CVE-2021-44228 (code named Log4Shell) on December 9, 2021
  • CVE-2021-45046 on December 14, 2021

A detailed description of the vulnerability can be found here: Apache Log4j Security Vulnerabilities page.

Please follow the BMC Security Advisory Note on BMC Community for continuous updates and details about this issue.

We recommend that you immediately apply the workaround as described in this topic.

Related topics



Issue

Defect ID

CVSS v3 rating

Description

DRIAR-1746

9.8

Apache Log4j Security Vulnerability (CVE-2021-44228 and CVE-2021-45046) is identified in BMC Helix ITSM: Smart Reporting.


Workaround

Verify the application version

  1. Log in to Smart Reporting with administrator permissions.
  2. Navigate to Administration > System Information, as shown in the following image:

    administration_sr.png

  3. Verify the application version in the System Information screen, as shown in the following image:

    sys_inf.png

    Warning

    Important

    The affected releases for this vulnerability are from version 8.0.8 and later.

Upgrade log4j in an existing Smart Reporting instance (Remediation option)

  1. Download log4j 2.17.0 binary distribution from the location: https://logging.apache.org/log4j/2.x/download.html.
  2. Stop Smart Reporting services.
  3. From the distribution zip file, extract the following files and copy them into <Install Directory>/WEB-INF/lib folder: 
    • log4j-1.2-api-2.17.0.jar
    • log4j-api-2.17.0.jar
    • log4j-core-2.17.0.jar
    • log4j-web-2.17.0.jar

  4. Remove the existing log4j libraries in the folder.
    These files will have the same names, but with a different version number (either version 2.13.3 or 2.15.0.) 

    Warning

    Important

    If you do not remove the existing files, the system might not start, or could still be vulnerable to the exploit.

  5. After replacing the log4j libraries, restart the Smart Reporting services.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

Remedy Smart Reporting 20.02