Skip navigation
1 2 Previous Next

Application Security News

28 posts
Share This:

BMC Software has identified and fixed Mid Tier vulnerabilities including remote Code Execution and Reflected Cross-site Scripting.

 

Remedy Mid Tier 9.0, 9.1, 18.05, 18.08, 19.02, and 19.08, all versions, service packs, and patches are affected by these vulnerabilities.

 

No action is required for SaaS customers (Remedy OnDemand / BMC Helix ITSM).

 

For more information about these issues and the resolution, see the following links:

 

 

Thanks to Raphaël Arrouas and Stephane Grundschober for responsibly disclosing some of these vulnerabilities to BMC.

Share This:

BMC Software has identified an unauthenticated Remote Code Execution security vulnerability CVE-2019-16755 (CVSS v3 score 10.0) in BMC Digital Workplace and Remedy with Smart IT. Thank you to Jerome Nokin (NATO NCIA / NCIRC) for his responsible disclosure.

 

BMC Digital Workplace 3.x and 18.x releases, associated service packs, and patches are affected by this vulnerability.
No action is required if you are using BMC Digital Workplace 19.02 or later.

 

Remedy with Smart IT 1.x, 2.0, 18.05, 18.08, and 19.02 releases, associated service packs, and patches are affected by this vulnerability.
No action is required if you are using Remedy with Smart IT 2.0 Patch 2 or Remedy with Smart IT 19.08.

 

No action is required for SaaS customers. This refers to Remedy as a Service (RaaS), Helix ITSM, or BMC Helix Digital Workplace.

Hot fix available
A hot fix is currently available for all affected versions of BMC Digital Workplace and Remedy with Smart IT. BMC strongly recommends that customers apply this hot fix.

The hot fixes for the affected versions are available at the following links:

  • BMC Digital Workplace
  • For version 3.3 or earlier, you must upgrade to version 3.3.02 before applying the hot fix.
  • Remedy with Smart IT
  • For versions 1.4 or earlier, you must upgrade to version 2.0 Patch 2. Please contact BMC Support if you require a fix for versions 1.5, 1.5.01, or 1.6.

Upgrade required for Remedy with Smart IT?

  • Remedy with Smart IT 2.0 Patch 1 requires you to upgrade to Smart IT 2.0 Patch 2. This version is not affected by the security vulnerability.
  • Remedy with Smart IT 18.05 requires an install of Patch 5 prior to applying the security vulnerability hot fix.
  • Remedy with Smart IT 18.08 requires an install of Patch 1 prior to applying the security vulnerability hot fix.
  • Remedy with Smart IT 19.02 requires an install of Patch 1 prior to applying the security vulnerability hot fix.

Upgrade required for BMC Digital Workplace?

  • BMC Digital Workplace 3.3.02, 3.4.00, or 3.5.00 do not require any upgrade, you can directly apply the security vulnerability hot fix.
  • BMC Digital Workplace 18.02, 18.05, 18.08, or 18.11 do not require any upgrade, you can directly apply the security vulnerability hot fix.
Share This:

Security researchers Raphaël Arrouas and Stephane Grundschober have identified a critical unauthenticated Remote Code Execution (RCE) vulnerability in BMC Remedy Mid Tier (CVE-2019-12740).

 

Mid Tier versions 9.1, 18.05, 18.08, and 19.02, service packs, and patches, are all affected by this vulnerability.

 

Perform the following steps to resolve this issue:

  1. Ensure that the base version of Mid Tier is as follows:
    • For Mid Tier version 9.1—Base version must be Patch 1 for 9.1 Service Pack 3 (9.1.03.001) or Patch 2 for 9.1 Service Pack 4 (9.1.04.002)
    • For Mid Tier version 18.05—Base version must be 18.05 or Service Pack 5 for version 18.05 (18.05.005)
    • For Mid Tier version 18.08—Base version must be Service Pack 1 for version 18.08 (18.08.01)
    • For Mid Tier version 19.02—Base version must be 19.02
  2. Download the hot fix from ftp://ftp.bmc.com/pub/ARRecommendedFixes/Midtier.
  3. Deploy the hot fix as described in the Readme file provided with each hot fix bundle.
  4. Edit the web.xml file located in the <midTierInstallDirectory>/WEB-INF directory. For information about the steps to be followed, see the Additional Instructions section in the Readme files.

 

 

For any additional questions, please open a Support case.

 

Many thanks to both researchers for responsibly disclosing this vulnerability and cooperating with BMC for a speedy resolution.

Share This:

Advisory overview

 

Recently, BMC Software has identified a security vulnerability (CVE-2018-19647) that could allow a remote, unauthenticated attacker to gain arbitrary code execution as the system user. The exposure is limited to scenarios where an attacker is on the same network as Remedy AR System and has the capability to bypass standard network based defenses such as firewalls.  Full advisory can be found here.

 

Service Impact

 

All service packs and patches of Remedy AR System 8.x, 9.x and 18.x versions are affected by this vulnerability.

 

Security Mitigations

 

Within the BMC SaaS boundary, the affected service (AR Plug-in) is not directly accessible via the Internet -- only via authorized internal network connections in which the service is explicitly permitted.  In addition, each customer AR system is dedicated and not shared with any other customers. Furthermore, the AR Plug-in service does not run as a privileged user in all current versions.  These controls and configuration build standards greatly minimizes exposure, ability to execute remote code, and potential for exploitation.

 

Remediation Status

 

After further review, BMC Information Security, Remedy and SaaS Operations teams have reviewed this vulnerability and how it affects BMC subscription services. It is our conclusion that due to the mitigations listed above, including proper build standards, network isolation and restrictive access controls, significantly reduces the likelihood and exploitability of this vulnerability. Based on this information, the residual risk in this environment is classified as "low" and will addressed as part of the ongoing release lifecycle.

 

BMC Information Security teams will continue to update this notice as information is provided or changes to the advisory are required.

Share This:

NOTE: This vulnerability is only applicable to AR System on Linux servers.

 

BMC Software has identified a security vulnerability (CVE-2018-19647) that could allow a remote, unauthenticated attacker to gain arbitrary code execution as the system user running the arplugin service. The exposure is limited to scenarios where an attacker is on the same network as the Remedy AR System and can bypass standard network-based defenses such as firewalls. For Remedy AR System 9.x and 18.x, all versions, service packs, and patches are affected by this vulnerability. BMC strongly recommends that customers who have installed Remedy AR System 9.x or 18.x apply this hot fix. Hot fixes for the affected versions are available at the following links:

 

 

PREREQUISITES: Customers on Remedy AR System 9.1.04 must apply patch 002 (9.1.04.002) before applying the hot fix if they have not already applied it. Customers on Remedy AR System 9.1.03 must apply patch 001 (9.1.03.001) before applying the hot fix if they have not already applied it. Customers on Remedy AR System 9.1.02 must apply patch 004 (9.1.02.004) before applying the hot fix if they have not already applied it. There are no prerequisites for installation on Remedy AR System 18.05 or 18.08.

 

Thanks to François Goichon from the Google Security Team for identification of this problem.

Share This:

The BMC Application Security team is aware of the recent SAML vulnerability reported by Duo Labs and has determined that BMC’s Remedy Single Sign-On (RSSO) system is not affected by this vulnerability.

 

Explanation:

The Duo Labs site states that for this vulnerability to be exploited, the following must all be true:

  • The SAML response contains strings identifying the authenticating user
  • XML canonicalization removes comments as part of signature validation, allowing comments to be added to a SAML response without invalidating the signature
  • XML text extraction only returns a substring of the element text when comments are present

 

Because RSSO returns the entire string (without comments) when extracting element text, the third condition is false.

 

As a result, RSSO is not affected by the SAML vulnerability.

 

Additional Resources:

https://www.kb.cert.org/vuls/id/475445

 

Share This:

This customer communication is an update to the message BMC posted on Jan 5th about two major CPU vulnerabilities known as Meltdown and Spectre (https://communities.bmc.com/blogs/application-security-news/2018/01/05/cpu-vulnerabilities-meltdown-cve-2017-5754-and-spectre-cve-2017-5753-cve-2017-5715).

           

The current known vulnerability variants of Meltdown and Spectre such as bounds check bypass, branch target injection, and rogue data cache load are specific to CPU hardware implementations. Remediation for these variants are currently available from CPU and Operating System (OS) vendors through firmware updates and software patches (details can be found in the US-CERT link below).

 

For BMC software that is hosted on-premise at customer locations, BMC recommends that those customers follow their internal vulnerability management process and apply the appropriate patches according to vendor guidelines.

 

In cases where the software is running on BMC-provided OS or application stacks (appliances), BMC is working diligently with OS vendors to apply stable patches where necessary.

 

For BMC’s SaaS offerings, BMC’s operation teams have been tracking vendors for availability of stable patches and have been applying them to BMC’s SaaS infrastructure as soon as they have become available.

 

BMC will continue to closely monitor this evolving situation and provide additional details and maintenance notifications as needed.

 

More information about these vulnerabilities can be found here: https://www.us-cert.gov/ncas/alerts/TA18-004A

Share This:

Two major vulnerabilities (known as Meltdown, CVE-2017-5754, and Spectre, CVE-2017-5753 & CVE-2017-5715) have been revealed that affect almost all modern CPUs on January 3, 2018. Meltdown allows any application to access all system memory, including memory allocated for the kernel. Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. The vulnerabilities are known to be exploitable on servers, workstations, mobile devices, IoT environments, and browsers.

 

BMC is aware of these vulnerabilities, and has been working closely with our vendors and product teams to address them on applicable systems and products as soon as patches are available, and in accordance with BMC customer support process.  BMC will continue to closely monitor this evolving situation, and will provide additional details and maintenance notifications, as needed.

 

More information about these flaws can be found here: https://www.us-cert.gov/ncas/alerts/TA18-004A

Share This:

An SQL injection vulnerability has been identified in BMC's Remedy Action Request product. This vulnerability can affect the confidentiality and integrity of the application data. BMC has released a hotfix (ftp://ftp.bmc.com/pub/ARRecommendedFixes/SecurityVulnerabiltyFixes/) to patch this vulnerability. We strongly recommend that BMC customers apply this hotfix to address the vulnerability.

 

BMC would like to thank Spyridon Chatzimichail (https://www.linkedin.com/in/spyridon-chatzimichail-07467928/) for responsibly disclosing the vulnerability and helping us to further harden our products.

Share This:

On September 5th, 2017, the Apache team published a security bulletin for Apache Struts 2. It describes a vulnerability caused by the REST plugin using an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.

 

To-date, the BMC Application Security team has scanned all of our products and discovered only one product that uses Struts 2. Service Level Management (SLM) implements Struts 2, but does not use the vulnerable REST plugin. Though SLM does not use the impacted jar, customers can remove the Struts REST plugin on their own. SLM SP4 will include a patched version of Struts 2, but in the meantime workaround details can be found in Apache's security bulletin.

 

Security is our top priority and we are committed to staying on top of vulnerability management and threat intelligence.

 

Please subscribe to this blog post to be notified of updates. If you have any questions please leave them in the comments below or email us at AppSec@bmc.com.

Share This:

Last updated: April 4th, 2017 2:25pm (PDT)

 

On March 7th, 2017 the Apache team published a security bulletin for Apache Struts 2. It describes a possible remote code execution vulnerability when performing file upload based on Jakarta Multipart parser.

 

The BMC Application Security is investigating whether any BMC products are impacted by this vulnerability.

 

The table below will be updated periodically to reflect our findings. Please subscribe to this blog post to be notified of updates.

 

BMC Products that do NOT include Struts 2BMC Products that include Struts 2
BMC Atrium Orchestrator (BAO)BMC Service Level Management (SLM):
The SLM Collector Admin UI uses Struts2, however it does not use File Upload based on Jakarta Multipart Parser and is therefore not vulnerable to CVE-2017-5638
BMC Client Management (BCM formerly Footprints Asset Core)
BMC Cloud Lifecycle Management (CLM)
BMC Control-D
BMC Control-M
BMC Database Automation (BDA and BDSDA)
BMC Decision Support for Server Automation (BDSSA)
BMC Discovery (formerly ADDM)
BMC Impact Manager
BMC Innovation Suite
BMC MyIT
BMC Network Automation (BNA and BDSNA)
BMC Pathway Policy Service
BMC Real End User Experience Monitoring (Real EUEM)
BMC Release Lifecycle Management (RLM including RPD and RPM)
BMC Remedy IT Service Management Suite (ITSM)
BMC Remedy Mid-Tier
BMC Remedy Platform
BMC Server Automation (BSA)
BMC Service Request Management (SRM)
BMC SmartIT
BMC TrueSight App Visibility Manager
BMC TrueSight Capacity Optimization (TSCO)
BMC TrueSight Infrastructure Management (TSIM including BPPM)
BMC TrueSight Infrastructure Management (TSIM) - PATROL Agent
BMC TrueSight Infrastructure Management (TSIM) - PATROL Repository
BMC TrueSight Intelligence
BMC TrueSight IT Data Analytics (ITDA)
BMC TrueSight Middleware Administrator (TSMA)
BMC TrueSight Middleware Transaction Monitor (TMTM)
BMC TrueSight Presentation Server (TSPS)
BMC TrueSight Pulse

BMC TrueSight Synthetic Monitor

Share This:

Stephen Hawking, referring to the ancient philosophical paradox of infinite regress, writes in his 1988 book "A Brief History of time" (ISBN 978-0-553-05340-1):

 

A well-known scientist (some say it was Bertrand Russell) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said: "What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise." The scientist gave a superior smile before replying, "What is the tortoise standing on?" "You're very clever, young man, very clever," said the old lady. "But it's turtles all the way down!"

 

I am occasionally asked (typically after an information assurance or IT security group runs an environment scan) why it is that there are clear text passphrases stored in an Apache Tomcat server.xml files. A common security best practice is to keep secrets, well um, secret. How is it, I am asked, that a passphrase used to unlock a keystore that houses sensitive private keys used for secure HTTPS connections is so clearly visible in a configuration file?

 

This is a good question and one that has been debated quite a lot. And my honest answer is - we haven't been able to figure out anything that provides more adequate protection. The reality is that when you encrypt data in a way that enables you to retrieve the original value through decryption you need to use a key (or in the case of Apache Tomcat a passphrase that is used to derive a key that encrypts the keystore). The problem is where and how to secure that key? There are a few approaches we could take:

  1. Don't store it. Prompt a person for it every time you need it.
    Problem: this does not scale nor is it automatic. Multiple servers that need to be spun up and/or restarted frequently cannot rely on human interaction.
  2. Encrypt it and store it (a common suggestion).
    Problem: if I encrypt the passphrase I will need to use yet another key. How do I protect this new key? Turtles all the way down...
  3. Scramble / encode / hide it / hardcode the key.
    Problem: Any form of obfuscation will (a) be shared among all installations of our software, and (b) can be discovered through reverse engineering or less nefariously by the original author of said obfuscation telling someone about it. Once the obfuscation is made public (as often happens) it is just as exposed as the original clear text passphrase.
  4. Store it in a secure hardware-based vault.
    Problem: Those are expensive and unless you have invested in one to solve the greater issues of enterprise key and credential management it is likely overkill.

 

The question then remains: what can you do to protect this clear text passphrase from unauthorized disclosure? There are a set of best practices described both by OWASP and Apache on protecting the server.xml file. The two that I most often recommend are:

  1. Use file level access control or permissions to restrict access to server.xml to the service user running Apache Tomcat.
  2. Monitor server.xml for unauthorized access.

 

I think most security practitioners will agree that security through obscurity is not a good approach as it provides a false sense of security. However, something about leaving clear text passwords in a configuration file just doesn't feel great either. Have you come up with an approach that gives you the proverbial "warm fuzzies"? I would love to hear about it if you have.

Share This:

Latest details from BMC

Last Updated: March 10, 2016 12:40PM CST

 

On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. Of the seven vulnerabilities posted, three are related to the DROWN attack. DROWN exploits weaknesses in SSL version 2 (SSLv2) to enable an attacker to collect and decrypt TLS sessions. A successful attack requires the ability to collect traffic for a server that supports both TLS and SSLv2.

 

Environments that have been configured to disable SSLv2 as well as export grade ciphers are not vulnerable to DROWN. Therefore if you have performed steps to mitigate both the TLS Logjam and POODLE attacks - you are not vulnerable. Additionally, the attack is further deflected by ensuring private certificates are not shared among multiple servers (where one is configured to allow SSLv2 and the other is not).

The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL DROWN vulnerability. Although they might not be vulnerable to the attack (not used for TLS, or SSLv2 disabled), they have patches or remediation advice available.
Products Which Include Affected OpenSSLRemediation / Patches
BMC MainView Console Automation for zEnterpriseMainView Console Management Cumulative SSL Security Patch 2016.03.07 is available for download on BMC Electronic Product Distribution (EPD).
BMC Discovery (previously ADDM)See BMC Discovery blog in communities.

BMC Control-M/Enterprise Manager

BMC Control-M/Server

BMC Control-M/Agent

V8 and V9

V7

  • Use different private key for each server
The products listed in Table 2 below either do not include OpenSSL libraries or are unaffected by the DROWN vulnerability.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium Orchestrator
BMC Cloud Lifecycle Management
BMC Decision Support for Database Automation

 

BMC Decision Support for Network Automation
BMC MainView for z/OS solutions
BMC IMS for z/OS solutions
(all products and versions)

 

BMC DB2 for z/OS solutions
(all products and versions)
BMC Middleware Automation
BMC TrueSight Middleware Administration

BMC Middleware Management -

Transaction Analytics for WebSphere MQ (StatWatch)

 

BMC Release Process Manager
BMC BladeLogic Client Automation
BMC BladeLogic Portal
BMC AppSight
BMC Identity Management
BMC IT Business Management
BMC Network Automation
BMC Service Desk Express
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC TrueSight Capacity Optimization prior to v10.5
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy
BMC Cost Analyzer for zEnterprise
BMC Intelligent Capping for zEnterprise
BMC Subsystem Optimization for zEnterprise
BMC Capacity Optimization for Mainframes

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL DROWN vulnerability.
Share This:

A couple of critical broken authentication vulnerabilities were disclosed to BMC by ERNW Gmbh (an independent research company) and they will be disclosed publicly at the Troopers 2016 conference in Heidelberg on March 16th, 2016. These vulnerabilities allow remote unauthorized access to Linux/Unix RSCD agents using the agents’ RPC API. Windows agents are not affected. For more-detailed information, please see the following Flash Notification.

 

Due to the severity of these findings BMC has published a Knowledge Article with patching information as well as general recommendations for reducing the likelihood of successful exploitation. We strongly recommend that BSA customers follow the instructions within.

Share This:

A security authentication vulnerability involving LDAP authentication was found. This vulnerability allows unauthorized access to the EM GUI server by using the EMAPI. Due to the severity of this vulnerability, BMC has published a knowledge article (requires login) with patching and/or workaround information. We strongly recommend that Control-M customers using LDAP authentication follow the instructions within.

Filter Blog

By date:
By tag: