Skip navigation

Application Security News

December 14, 2015 Previous day Next day
Share:|

Latest details from BMC

Last Updated: April 27, 2016 5:55 PM CDT

 

BMC Software’s Application Security team is investigating the impact that the Apache Commons Library deserialization vulnerability has on the security posture of BMC products and services. The vulnerability has been described by various parties in multiple places (see FoxGlove Security's post and the darkreading article for examples) and enables code execution via the InvokerTransformer class.

The vulnerability has been assigned more than one CVE-ID via inclusion in products released by IBM (CVE-2015-7450) and Oracle (CVE-2015-4852).

We will post updates to this webpage with our findings.

 

Products that include InvokerTransformer class
Remediation / Patches
BMC Atrium Orchestrator (BAO)

Neither the vulnerable class nor the Commons Collections serialization/deserialization are used in the BAO code base.

The vulnerable library has been upgraded in the 7.8.02 release of BAO.
To manually upgrade the Commons Collections library follow the instructions in this article.

BMC Network Automation (BNA)A patch is estimated to be available December 15, 2015
BMC BladeLogic Middleware Automation (BMA)A patch is estimated to be available December 15, 2015
BMC BladeLogic Server Automation (BSA)The BMC BladeLogic Server Automation (BSA) solution includes the affected Apache Commons Collections library.  However, it is not used directly in the BSA codebase. Nonetheless, a hot fix that patches the affected library is expected to be released by Jan 31, 2016.
BMC BladeLogic Decision Support for Server Automation (BDSSA)The product does not accept and deserialize Java objects from untrusted sources. As a precaution the Apache Commons Collections library will be upgraded in the next release of BDSSA (8.8)
BMC BladeLogic PortalA patch is estimated to be available by December 31, 2015
Control-M Agent v.8 and v.9

Only used in command line utilities available on agent machines.
Patches for the Control-M Agent are available:

  • V.9 FP1 see release notes.
  • V.8 FP5 estimated to be available by May 15, 2016.

In the interim please refer to this article for directions on how to manually update the commons-collections.jar on the agent machines.

Control-M Application Integrator 8.0.00.000 / 8.0.00.100A patch (fix pack 2) is available. See release notes.

BMC TrueSight Middleware Administrator

BMC TrueSight Middleware Monitor

BMC TrueSight Middleware Transaction Monitor

The vulnerable class is included, however it is not used.

Patches are estimated to be available by December 18, 2015

BMC TrueSight Capacity Optimization (BCO / TSCO)

Patches are available for direct download:

  • 10.0: fix is included starting from 10.0.00.02.C00006 released on December 15, 2015. Follow this link to obtain the latest cumulative hotfix released for version 10.0
  • 10.3: fix is included starting from 10.3.00.01.C00004 released on December 22, 2015. Follow this link to obtain the latest cumulative hotfix released for version 10.3
BMC TrueSight Transaction Management Application Response Time (TM ART)

A knowledge article has been published.

A patch is available for direct download here.

Version 4.2 SP4 will be available on BMC Electronic Product Distribution (EPD) on February 29, 2016

BMC Remedy AR System and ITSM Suite 7.6.04

BMC Remedy AR System and ITSM Suite 8.0

BMC Remedy AR System and ITSM Suite 8.1

BMC Remedy AR System 8.8

BMC Remedy AR System and ITSM Suite 9.0

InvokerTransformer is not used and not impacted
BMC SmartIT

BMC MyIT

Hotfixes are available on BMC Electronic Product Distribution (EPD):

MyIT 2.2.00_Hotfix_03022016

MyIT 2.5.00_Hotfix_03022016

MyIT 2.6.00_Hotfix_03022016

MyIT 3.0.00_Hotfix_03022016

BMC Performance Manager PortalA patch is available for direct download here.
BMC TrueSight Infrastructure Management (TSIM) 9.5,9.6

9.6 patch estimated March 4, 2016

9.5 patch estimated March 11, 2016

BMC TrueSight Infrastructure Management (TSOM) 10.0,10.110.0 and 10.1 patches estimated March 11, 2016
BMC Atrium Single Sign On (ASSO) 8.1, 8.8, 9.0Hotfixes available. Please contact customer support.
BMC Discovery (previously ADDM)A vulnerable version of the class is included, however it is not used or exposed. As a precaution, the Apache Commons Collections library will be upgraded in all supported releases. Fixes are estimated to be available by April 30, 2016.
The products listed in Table 2 below do not include the InvokerTransformer class and are therefore not vulnerable to the deserialization issue.
Products that do not include InvokerTransformer class
BMC Database Automation (BDA)

BMC Release Package and Deployment (RPD)

BMC Release Process Managament (RPM)
BMC Patrol
BMC TEA Agent
BMC Control-M Self Service
BMC Control-M Batch Impact Manager
BMC Control-M Workload Change Manager
BMC Control-M for SAP Business Objects
BMC zSeries Solutions (none affected)
BMC Middleware Administration (BMA)
BMC TrueSight Middleware and Transaction Monitor
BMC TrueSight IT Data Analytics
BMC Real End User Experience Monitoring
BMC TrueSight App Visibility Manager Server / Agent
BMC Patrol
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software (Synthetic-EUEM) 15.0
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software 16.X
BMC Remedy Single Sign On (RSSO)

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Share:|

Latest details from BMC

Last Updated: December 12, 2015 12:00PM CST

 

BMC Software’s Application Security team is investigating the impact that the OpenSSL security vulnerabilityannounced on July 9th has on the security posture of BMC products and services. The vulnerability enables attackers to forge a certificate that bypasses the validation mechanism. It only affects OpenSSL versions 1.0.2b/c and 1.0.1n/o.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2015-1793 vulnerability.
Products Which Include Affected OpenSSLRemediation / Patches
BMC MainView Console ManagementPatch MVCM-SSL-150713 is available for download from the BMC Electronic Product Distribution (EPD) site
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2015-1793 vulnerability.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium OrchestratorBMC Client Management (formerly BMC Footprints Asset Core) versions 11.x, 12.x - ship with 1.0.0 thread of OpenSSL.
BMC Cloud Lifecycle ManagementBMC Footprints Service Core 11.6.06 ships with OpenSSL 1.0.1m that is not affected.
BMC Decision Support for Database AutomationBMC Atrium Discovery and Dependency Mapping (ADDM) - see this blog post for details.
BMC Decision Support for Network AutomationBMC Control-M (Server, Agent, Enterprise Manager, and AFT)
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC BladeLogic Server Automation (BSA)
BMC IMS for z/OS solutions
(all products and versions)
BMC BladeLogic Decision Support for Server Automation (BDSSA)
BMC DB2 for z/OS solutions
(all products and versions)
BMC Remedy AR System
BMC Middleware AdministrationBMC Remedy IT Service Management Suite (ITSM)
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)
BMC BladeLogic Client Automation
BMC BladeLogic Portal
BMC AppSight
BMC Identity Management
BMC IT Business Management
BMC Network Automation
BMC Service Desk Express
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC Performance Manager Portal
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy
BMC Cost Analyzer for zEnterprise
BMC Intelligent Capping for zEnterprise
BMC Subsystem Optimization for zEnterprise
BMC Capacity Optimization for Mainframes

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2015-1793 vulnerability.
Share:|

Latest details from BMC

Last Updated: August 14, 2015 16:20 PM CDT

 

BMC Software’s Application Security team has investigated the impact that the SHOTPUT Adobe Flash Vulnerability (CVE-2015-3113) has on the security posture of BMC products and services.

We have not found any BMC products that embed or ship Adobe Flash. Thus they do not include this vulnerability. There are BMC products that rely on the existence of the Adobe Flash browser plugins, however those plugins can be safely upgraded and we urge you to do so.

Share:|

Latest details from BMC

Last Updated: September 2, 2015 11:00 AM CDT

 

BMC Software’s Application Security team is investigating the impact that the Logjam Attack (CVE-2015-4000) described by a group of researchers in a dedicated website on May 20th has on the security posture of BMC products and services.

We will post updates to this webpage with our findings.

In the interim we suggest that you follow the instructions provided by the researchers who discovered the attack to minimize your exposure.

 

Products Affected by CVE-2015-4000Remediation / Patches
BMC Atrium Discovery and Dependency Mapping (ADDM)See the product documentation for details

BMC Bladelogic Server Automation (BSA) 8.6 SP1

BMC Bladelogic Decision Support for Server Automation (BDSSA)

See this article for remediation instructions.
Cloud Lifecycle Manager (CLM) (not including underlying Remedy AR platform)

See this blog post for remediation instructions

The next patch will include the required configuration changes.

BMC Atrium Orchestrator (BAO)

There is currently no feasible workaround in existing versions.

Release 7.8.01 will no longer be affected.

BMC Release Package and Deployment (RPD) prior to Version 4.4 patch 10

See this document for remediation instructions.

Versions 4.4 patch 10 and above are no longer impacted.

BMC Release Lifecycle Management (RLM) See RPD, RPM and BSA
BMC Workload Automation (Control-M)See this article for remediation instructions.
BMC Remedy AR System and ITSMSee this article for remediation instructions
Entuity Network Monitoring for BMC TrueSight Operations ManagementThere is no Logjam flaw in the Entuity solution itself. Please contact BMC Customer Support for instructions on configuration changes that will reject certificates with insecure ciphers.
BMC Footprints Service CoreFor version 12 see this article. For versions 11.x contact BMC Customer Support.
The products listed in Table 2 below are unaffected by CVE-2015-4000.
Products that are unaffected by CVE-2015-4000
BMC Client Management (BCM) (previously Footprints Asset Core)
BMC Bladelogic Decision Support for Network Automation
BMC Bladelogic Decision Support for Database Automation
BMC Bladelogic Network Automation (BNA)
BMC Bladelogic Database Automation (BDA)
BMC Release Process Management (RPM)
BMC Middleware Administration (BMA)
BMC Data Center Automation Portal (DCA Portal)
Borland Silk Performer for TrueSight Operations Management
BMC TMART 4.2 SP3
AVNET (previously Seamless Technologies Event Integration for BMC ProactiveNet Performance Management)
BMC Mobile Device Management (MDM) (airwatch)
BMC AppSight
BMC BladeLogic Client Automation
BMC Identity Management
BMC IT Business Management
BMC Storage Data Management
Share:|

Last Modified at 2:30AM CT, March 30, 2015

Latest details from BMC

 

The products below ship with a node.js server that is statically linked with a version of OpenSSL that if used for TLS communication may be vulnerable to CVE-2014-0160 (Heartbleed). We have reviewed the use of node.js within the products below and found that it is not exploitable in this context.

Products which include MongoDBRemediation / Patching
BMC MyIT
BMC SmartIT
See this support article for a detailed explanation of why the products are not vulnerable to CVE-2014-0160.
Share:|

Latest details from BMC

Last Updated: December 7, 2015 3:00PM CST

 

BMC Software’s Application Security team is investigating the impact that multiple OpenSSL security vulnerabilities announced on March 19th have on the security posture of BMC products and services. Of the 14 vulnerabilities described, two were classified as high severity cases: CVE-2015-0204 and CVE-2015-0291.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2015-0204 and/or CVE-2015-0291 vulnerabilities.
Products Which Include Affected OpenSSLRemediation / Patches
BMC Atrium Discovery and Dependency MappingSee article in BMC Communities
BMC Footprints Service Core 11.6.05 and priorPatch released (see this article for details). Upgraded version of OpenSSL is included in release 11.6.06
Borland Silk Performer for TrueSight Operations Management 15.5.10Addressed in Borland Silk Performer for TrueSight Operations Management 15.5.60 available on BMC Electronic Product Distribution (EPD)
BMC TMART 4.2 SP2Addressed in BMC TMART 4.2 SP3 available on BMC Electronic Product Distribution (EPD)
BMC Application Diagnostics 2.6.10Addressed in 2.6.15 and 2.7.01 available on BMC Electronic Product Distribution(EPD)
Entuity Network Monitoring for BMC TrueSight Operations Management V14.0, V14.5 and V15.0Patches available from the Entuity web site

 

Please contact BMC Customer Support for access credentials
BMC Database Automation (BladeLogic)Patch estimated May 31, 2015
BMC Release Package and Deployment (RPD)Patch estimated May 31, 2015
BMC Release Lifecycle managementSee RPD, RPM and BSA
BMC Workload Automation (Control-M)See this article for details
BMC MainView Console Management 3.2.1 and priorUpgrade to release 3.2.2 or install Cumulative SSL Security patch 2015.04.21
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2015-0204 and CVE-2015-0291 vulnerabilities.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium OrchestratorBMC Client Management (formerly BMC Footprints Asset Core) versions 11.x, 12.x - ship with 1.0.0 thread of OpenSSL with export ciphers disabled. Will upgrade to latest release of OpenSSL 1.0.0 thread in version 12.1 - planned for October 2015
BMC Cloud Lifecycle ManagementBMC Performance Manager Portal 2.11.0 - ships with export ciphers disabled
BMC Decision Support for Database AutomationBMC TrueSight Infrastructure Management (formerly BMC Proactivenet Performance Management Suite) 9.5 and 9.6 - ship with export ciphers disabled
BMC Decision Support for Network AutomationBMC Bladelogic Decision Support for Server Automation 8.3.02 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.3.03 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.5 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.5.01 (Windows + Linux + Solaris)
BMC MainView Console Management 2.12 and priorBMC Bladelogic Decision Support for Server Automation Unix (Linux + Solaris) 8.2, 8.2.01, 8.2.02
BMC Bladelogic Decision Support for Server Automation Unix (Linux + Solaris) 8.2.03, 8.2.04,  8.3, 8.3.01
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC Bladelogic Decision Support for Server Automation Windows 8.2.02, 8.2.03, 8.2.04, 8.3, 8.3.01
BMC IMS for z/OS solutions
(all products and versions)
BMC Release Process Management (RPM)
BMC DB2 for z/OS solutions
(all products and versions)
BMC Server Automation (BladeLogic) (BSA)
BMC Middleware Administration(old name) BMC Capacity Optimization and Performance Assurance
TrueSight Capacity Optimization
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC BladeLogic Client AutomationBMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC BladeLogic PortalBMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC AppSightBMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC Identity ManagementBMC Real End User CloudProbe
BMC IT Business ManagementBMC MyIT (see this page for additional details)
BMC Network AutomationBMC SmartIT (see this page for additional details)
BMC Service Desk ExpressBMC Remedy AR System and ITSM Suite (see this article for details)
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC Performance Manager Portal
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2015-0204 and CVE-2015-0291 vulnerabilities.
Share:|

Last Modified at 04:30AM CT, February 5, 2015

Latest details from BMC

 

BMC Software’s Application Security team has investigated the impact that the CVE-2015-0235 (a.k.a. “GHOST”) vulnerability has on the security posture of BMC products and services.

As this flaw stems from the glibc function and manifests itself via the gethostbyname() function, we have not found it to be exploitable in any BMC products. However, the products listed below ship with Linux operating systems and are therefore affected by the CVE-2015-0235 vulnerability.
We recommend that our customers take the necessary steps to prevent exploitation of CVE-2015-0235 either by patching their Linux operation systems or by configuring appropriate IPS signatures.

Products which include a vulnerable OSRemediation / Patching
BMC Atrium Discovery and Dependency Mapping - all versions
BMC Atrium Discovery and Dependency Mapping Proxy - all versions
The latest OS update includes an updated version of the glibc function.
BMC Real End User Experience Monitoring
BMC Real End User Experience Monitoring Hardware Collector
BMC TrueSight End User Monitor
A device patch and product specific knowledge article are expected by February 28, 2015.
Share:|

Last Modified at 1:15PM CT, February 19, 2015

Latest details from BMC

 

Recent research published by three students at Saarland University in Germany shows that a large number of MongoDB databases all over the globe have been misconfigured; this allows unauthenticated remote access to sensitive information.

 

BMC Software’s Application Security team has investigated the impact that the MongoDB security configuration vulnerability (described here) has on the security posture of BMC products and services.

 

The products below ship with a MongoDB database and if configured incorrectly might be vulnerable to the attacks described above. We recommend that our customers take the necessary steps to configure their MongoDB deployments securely as documented in the MongoDB manuals.

Products which include MongoDBRemediation / Patching
BMC MyIT
BMC SmartIT
See this support article for instructions on configuring MongoDB in a secure fashion.
Share:|

Last Modified at 9:45AM CST, December 10, 2015

Latest details from BMC

 

BMC Software’s Application Security team is investigating the impact that the SSL 3.0 CVE-2014-3566 (a.k.a. “POODLE”) vulnerability has on the security posture of BMC products and services.

The products listed below allow SSL 3.0 connections and are therefore affected by the SSL 3.0 CVE-2014-3566 vulnerability.

Products Which Allow SSL 3.0 ConnectionsRemediation / Patching
BMC Atrium Discovery and Dependency Mapping - all versions
BMC Atrium Discovery and Dependency Mapping Proxy - all versions
Manually disable SSL 3.0 until patches are available that remove SSL 3.0 completely. These will be included in a future OS update.

 

Refer to this blog post for details and instructions
BMC Client Management - versions 11.x and 12.0

 

(formerly BMC FootPrints Asset Core)

BMC will be disabling SSLv3 Support from the BCM agent, permitting only TLS connections (versions 1.0, 1.1 or 1.2). In addition, OpenSSL will be updated to help block any downgrade attack such as Poodle.

 

Please download one of the following Hot Fixes:

 

                        11.5 Hot Fix

 

                        11.6 Hot Fix

                        11.7 Hot Fix

                        12.0 Hot Fix

 


NOTE: If integrating with BMC FootPrints Service Core, the application of the hot fix also requires the latest OpenSSL for the BMC FootPrints Service Core installation. The patch can be obtained from this support article.

BMC MainView Console Management for zEnterprise - all versionsMainView Console Management Cumulative SSL Security Patch 2014.10.16 for versions 3.1-3.2 is available via Electronic Product Distribution.

 

Earlier versions must be upgraded to at least 3.1 before the patch can be applied.
BMC Remedy OnDemand
(Service suite includes hosted instances of:
BMC MyIT
BMC AppZone
BMC Footprints Asset Core)
BMC is in the process of disabling SSL v3.0 across all data centers and service offerings.  To date the following service offerings have been completed:
Commercial - US
Commercial - UK
Commercial - CA
Commercial - AU
Public Sector - US
Public Sector - Federal
BMC Workload Automation (Control-M) versions 6.4.x, 7.0.x, 8.0.xManually disable SSL 3.0 fall back. Refer to this blog post for details and instructions
BMC FootPrints Service Core - version 12.xFootPrints 12.x does not install Java or Tomcat for the customer.  Instead, the customer supplies their own Java and Tomcat installations.

 

See this support article for guidance on upgrading these installations and how to disable SSLv3 in Tomcat.

 

There are no patches necessary.
BMC FootPrints Service Core - versions 11.x, 10.0.2, 9.5.4See this support article for patches to update OpenSSL to 1.0.1j as used by the product in Perl and Tomcat.

 

See this support article for guidance on disabling SSLv3 for versions 11 and newer.
RemedyforceManually disable SSL 3.0 on web browsers.

 

See this article in BMC Communities for details.
Aternity for BMC End User Experience Management Console and Agents (all versions)

 

Aternity for BMC End User Experience Management Dashboards Server (all versions)
For every Aternity node (data warehouse, management server, and EPM) configure the Apache Tomcat XML HTTPs connector by setting the following properties:

 

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
sslprotocol=”TLS“

 

See this article for more details.

 

For the Tableau server, see this article for instructions
BMC Atrium OrchestratorIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC BladeLogic Database AutomationIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

OpenSSL will be upgraded in version 8.6 and back ported to 8.5 in a patch shortly after 8.6 is released.
BMC BladeLogic Decision Support for Database Automation

 

BMC BladeLogic Decision Support for Network Automation
In Apache Tomcat go to “<PATH>\BL-Decision Support\tomcat\conf” directory.

 

Take a backup of the server.xml file.

 

Edit the server.xml replacing sslProtocols=“TLS” with sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2”.

 

Save the file and restart the “BL-Decision Support Web Server” service.
BMC Bladelogic Decision Support for Server Automation (Windows, Unix, and Linux)Upgrade packages are available for BDSSA 8.3.x and 8.5.x. See this article for instructions on obtaining the package for BDSSA.
BMC BladeLogic Middleware AutomationPlease see this article for detailed instructions on disabling SSL 3.0
BMC BladeLogic Network AutomationIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

BNA server and agent communication over RMI uses TLS 1.2 by default. HTTPS communication between BNA agent and network devices is either configured to initiate TLS or to accept the handshake from BNA, which uses TLS.
BMC BladeLogic Server AutomationUpgraded OpenSSL and fixed Java JSSE in BSA 8.5 SP1 Patch 3 and BSA 8.6. A hotfix is available for 8.3.03 (build 190 or higher). Please see this article for instructions on obtaining this hotfix.
BMC Cloud Lifecycle ManagementIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

If HTTPS is enabled for CLM Platform Manager, please contact BMC Customer Support for assistance with Jetty configuration.
BMC DCA Portaln Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Package and DeploymentIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Process Management (DevOps)In Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Lifecycle managementThis is a combination of BMC Release Package and Deployment, BMC Release Process Management, and BMC BladeLogic Server Automation. Please see entries above for individual remediation steps for each.
Entuity Network Monitoring for BMC ProactiveNet Performance Management V14.0 and above
Entuity for BMC TrueSight Operations Management
Entuity Integrator for BMC TrueSight Operations Management
Entuity Network Analyzer for BMC TrueSight Operations Management
Entuity Flow Analyzer for TrueSight Ops
Modify the following Apache configuration files:
<Entuity Home>\install\template\lib\apache\conf\httpd_eye.conf
  From:  ##CONFIGPARSE##    SSLProtocol -ALL +SSLv3 +TLSv1
  To:        ##CONFIGPARSE##    SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 

<Entuity Home>\lib\apache\conf\httpd_eye.conf 
  From:  SSLProtocol -ALL +SSLv3 +TLSv1
  To:        SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 

  Restart Entuity Web Server:
<Entuity Home>\bin\stop webserver

 

The Web Server will automatically restart after stopping.
Entuity Network Monitoring for BMC ProactiveNet Performance Management V10.5 and earlierPlease contact BMC Customer Support for assistance
BMC Capacity Optimization and Performance AssuranceSee this article for detailed remediation steps
BMC Patrol Central Web EditionSee this article for detailed remediation steps
BMC Performance Manager PortalSee this article for detailed remediation steps
BMC Application Transaction TracingPatch available. Please contact BMC Customer Support for assistance.
BMC Middleware AdministrationSee this article for detailed remediation steps
BMC Middleware Management - Administration for WebSphere MQ (AppWatch)See this article for detailed remediation steps
BMC Middleware Management - Performance and Availability
BMC Middleware Management – Transaction Monitoring
BMC Middleware Monitoring
Patches available.
BMC ProactiveNet Performance Management Suite Server 9.0
BMC ProactiveNet Performance Management Suite 9.5
See this article for detailed remediation steps
BMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available. Please contact BMC Customer Support for assistance.
BMC TMART 4.2Please see this article for instructions.
BMC IT Data & AnalyticsBy default, SSL is not enabled.

 

The product documentation for enabling SSL has been updated so that SSLv3.0 is not enabled.
BMC Impact Integration Web Services 7.4.00Please see this article for detailed instructions on disabling SSL 3.0.
MyIT 2.0, MyIT 2.1 and SmartITPlease see this support article for instructions for disabling SSL V3 in Tomcat used by MyIT and SmartIT.
BMC Remedy AR System and ITSM Suite 7.6.04, 8.0, and 8.1See this support article for instructions for disabling SSL V3 in Tomcat used by Mid-Tier.

 

If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server. An LDAP plug-in hotfix to allow the LDAP plug-in to use TLS for communication with LDAP Server is available here.
BMC Remedy AR System 8.8See this support article for instructions for disabling SSL V3 in Tomcat used by Mid-Tier.

 

If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server.
BMC Atrium SSOSee this support article for instructions for disabling SSL V3 in Atrium SSO.
BMC Transaction Management Application Response Time - Infrastructure Edition
BMC Transaction Management Application Response Time - Service Level Edition
See this support article for instructions.
Share:|

Last Modified at 8:80AM CT, November 12, 2014

In reference to the Sept 25, 2014 disclosure of the GNU Bourne Again Shell (Bash) “ShellShock” vulnerabilities (CVE-2014-6271, CVE-2014-7169), BMC Software is currently investigating and assessing impact to our products and services as well as our own customer-facing portals.

 

BMC Software will communicate the results of our investigation and related remediation plans in this news article. Please bookmark this page, and check it periodically for the latest details. These vulnerabilities are known to currently affect only BMC products that embed the Linux operating system, so the overall breadth of exposure is considered to be minimal.

 

Please be aware that this bulletin will only track the BMC products that are affected by these vulnerabilities. This means that if a BMC Product is not listed, then we have determined that it is not vulnerable to CVE-2014-6271, CVE-2014-7169 directly.

 


We have identified that the following BMC Products and Services are affected by the ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169):

Product / ServiceAffectedStatusNotes
ADDMYesFix AvailablePlease see this item in the BMC Communities for patches and installation instructions
BMC Remedy OnDemand
(Service suite includes hosted instances of:
BMC MyIT
BMC AppZone
BMC Footprints Asset Core)
YesPatching CompleteThe following BMC Remedy OnDemand service offerings have completed the patching process and will be continuously monitored for any future variations:
Commercial - US
Commercial - UK
Commercial - CA
Commercial - AUS
Public Sector - US
Public Sector - Federal
CLM Rapid Deployment StackYesFix AvailableThe effect of the Shellshock vulnerability on the CLM RDS is described in this blog post.
CLM Rapid Deployment Stack (RDS) v.4.1 has been updated to include a patched version of the GNU bash.

 

Existing deployments of the RDS must be patched manually by following the instructions in this article from Redhat.
BMC Application Management Console
BMC Real End User Experience Hardware collector (1200 series)
BMC Real End User Experience Monitoring
BMC TrueSight End User Collector (4200 Series)
BMC TrueSight End User Monitor (all series)
YesFix AvailablePlease see this knowledge article for download and installation instructions
BMC Middleware and Transaction ManagementYesFix AvailableGNU bash is included in a Cygwin distribution that is used to collect files to help resolve support cases related to the BMC Middleware Management solutions. A patched version of Cygwin is included in Hotfix 7.0.00.150.1AE that is available for download on BMC Electronic Product Distribution.


BMC products are frequently installed in environments that include infrastructure components and or operating systems that embed the GNU Bourne Again Shell (Bash). Please check with the vendors of these components and operating systems to ensure they have been properly patched.

Share:|

Last Updated: July 28, 2014 3:00PM CDT

The OpenSSL Security Advisory [05 Jun 2014] ("Advisory") disclosed OpenSSL security vulnerabilities. BMC Software is investigating the impact of the disclosed vulnerabilities to our products and services as well as our customer-facing portals.

The products in Table 1 below have been found to be vulnerable to the disclosed OpenSSL CCS Injection flaw. The planned remediation and expected availability date for each affected product is shown in the table. No products have been found to be vulnerable to the other flaws described in the advisory. This table will be updated as needed as the investigation progresses.

 

ProductRemediation
BMC Bladelogic Decision Support for Server Automation 8.2.x, 8.3.x, and 8.5 (Windows + Linux + Solaris)BDSSA 8.5 SP1 as well as patches for BDSSA 8.2.x, 8.3.x and 8.5 include OpenSSL 1.0.1h.  All patches are available via ftp.
BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)
BMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)
BMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)
BMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)
BMC Atrium Discovery and Dependency Mapping 8.3.x, 9.0.x, and 10.0.xUpdated OpenSSL included in OS update released June 20
BMC Atrium Discovery and Dependency Mapping Proxy 9.0.xUpdated OpenSSL included in 9.0 SP3 released July 1
BMC Atrium Discovery and Dependency Mapping Proxy 8.3.x and 10.0.xUpdated OpenSSL will be included in any future releases
BMC Atrium SSOPlease apply the OS update released June 20 to the ADDM appliance
BMC MainView Console Automation
(all versions through 3.2)
For versions 3.1 and 3.2:
a Cumulative SSL Security patch released June 9 addresses this case; it fixes both the "Heartbleed" vulnerability and those disclosed in June.

 

Customers running earlier releases of MainView Console Automation should upgrade to version 3.2 before the patch can be installed.
BMC Footprints Service Core 11.6.02 and priorUpdated OpenSSL for Tomcat included in the patch released July 16. Detailed remediation steps and a link to the patch are included in this article on the Footprints support site.
Aternity for BMC End User Experience Management Dashboards Server (all versions)Updated OpenSSL included in Patch available July 15

 

Although no other products have been found to be vulnerable to the OpenSSL CCS Injection flaw, some do include older versions of OpenSSL. As a precaution we will be upgrading OpenSSL libraries included in all our supported products as part of their next planned service pack or release, whichever occurs first.

BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL Security Advisory from June 5th.

Please bookmark this page, and check it periodically for the latest details.

Share:|

Last Updated: June 2, 2014 4:00PM CDT

 

BMC Software’s Application Security team is investigating the impact that the OpenSSL CVE-2014-0160 vulnerability has on the security posture of BMC products and services.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2014-0160 vulnerability.
Products Which Include Affected OpenSSLRemediation / Patches
BMC Atrium Discovery and Dependency Mapping 10.0
BMC Atrium Discovery and Dependency Mapping Proxy 10.0
BMC Atrium Discovery and Dependency Mapping 9.0 RedHat 6
BMC Atrium Discovery and Dependency Mapping Proxy 9.0
Fix available on BMC Electronic Product Distribution

 

Refer to this blog post for details and update instructions
BMC TrueSight Operations Management Suite Server 9.5Patches available from the BMC FTP site(see the readme file for details)
BMC Real End User Experience Monitoring
versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
Patch available through deviceupdates

 

See this document for details
BMC Real End User Experience Monitoring Hardware Collector
versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
Patch available through deviceupdates

 

See this document for details
BMC TrueSight End User Monitor 1200 Series
versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available through deviceupdates.

 

See this document for details
BMC TrueSight End User Monitor 4200 Series
versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available through deviceupdates

 

See this document for details
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software (Synthetic-EUEM) 15.0Fix available on BMC Electronic Product Distribution
BMC TMART 4.1 SP2, 4.2Fix available on BMC Electronic Product Distribution
BMC Bladelogic Decision Support for Server Automation
8.2.03, 8.2.04, 8.3, 8.3.01
Linux fixes available:
8.2.03, 8.2.04
8.3, 8.3.01

 

Solaris fixes available:
8.2.03, 8.2.04
8.3, 8.3.01

 

Windows versions not affected
BMC Bladelogic Decision Support for Server Automation
8.3.02, 8.3.03, 8.5

Linux fixes available
8.3.02, 8.3.03, 8.5

 

Solaris fixes available
8.3.02, 8.3.03, 8.5

 

Windows fixes available
8.3.02, 8.3.03, 8.5

BMC MainView Console Automation for zEnterprise 3.1, 3.2Fix available on BMC Electronic Product Distribution
Aternity for BMC End User Experience Management Dashboards Server (all versions)Fix available from Aternity

 

Click here for details
Entuity Network Monitoring for BMC TrueSight Operations Management V14.0Fix available from the Entuity web site

 

Please contact BMC Customer Support for access credentials
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2014-0160 vulnerability.
Products Which Do Not Include OpenSSLProducts Which Include Unaffected OpenSSL
BMC Atrium OrchestratorBMC Atrium Discovery and Dependency Mapping 9.0 RedHat 5
BMC Cloud Lifecycle ManagementBMC Remedy AR System 8.8
BMC Decision Support for Database AutomationBMC Remedy AR System and ITSM Suite 8.1
BMC Decision Support for Network AutomationBMC Remedy AR System and ITSM Suite 8.0
BMC Release Lifecycle managementBMC Remedy AR System and ITSM Suite 7.6.04
BMC MainView Console Management 2.12 and priorBMC Atrium CMDB
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC Footprints Service Core 11.6.02 and prior
BMC IMS for z/OS solutions
(all products and versions)
BMC Footprints Asset Core/BCM 11.6
BMC DB2 for z/OS solutions
(all products and versions)
BMC Footprints Asset Core/BCM 11.7
BMC Middleware AdministrationBMC Footprints Asset Core/BCM 12
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)BMC Remedy OnDemand (based on underlying Remedy and hosting environment tested)
BMC BladeLogic Client AutomationBMC Capacity Optimization and Performance Assurance
BMC AppSightBMC Middleware Management - Performance and Availability
BMC Identity ManagementBMC Middleware Management – Transaction Monitoring
BMC IT Business ManagementBMC TrueSight Operations Management Suite Server 9.0
BMC Network AutomationBMC Control-M 6.4
BMC Service Desk ExpressBMC Control-M 7.0
BMC Service Level ManagementBMC Control-M 8.0
BMC TrackIt!BMC Dashboard and Analytics
BMC MyIT (all versions)BMC Release Process Management
BMC RemedyForce (all versions)BMC Database Automation (BladeLogic)
BMC Footprints Service Core/Renoir 12BMC Server Automation (BladeLogic)
BMC Performance Manager PortalBMC Release Package and Deployment (RPD)
BMC Storage Data ManagementBMC Atrium SSO
BMC Performance Manager for WebSphere Business Integration (WBI)BMC TMART 4.1 (prior to SP2)
Aternity for BMC End User Experience Management Console and Agents (all versions)BMC Bladelogic Decision Support for Server Automation
On Unix: 8.2.00, 8.2.01, 8.2.02
On Windows: 8.2.02, 8.2.03, 8.2.04, 8.3, 8.3.01
BMC Education Solution Accelerator (ESA)BMC Event Manager
Moviri Integration for BMC Capacity OptimizationBMC Patrol Central Web Edition
nlyte Enterprise Edition for BMC SoftwareBMC Application Transaction Tracing
Seamless Technologies Event Integration for BMC TrueSight Operations ManagementBMC Middleware Management - Administration for WebSphere MQ (AppWatch)
BMC Mobile Device Management (MDM) BMC Middleware Monitoring
Sentry Software Integration for BMC Capacity OptimizationEntuity Network Monitoring for BMC TrueSight Operations Management V10.5 and earlier
Sentry Software Monitoring for BMC TrueSight Operations Management BMC Performance Manager for Servers
Sentry Software Adapters for BMC Atrium Orchestrator  BMC PATROL Agent
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. In cases where BMC products were deployed in vulnerable environments or they were patched for the OpenSSL CVE-2014-0160 vulnerability – we recommend that you change all administrative passwords and replace all SSL certificates.
   2. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2014-0160 vulnerability.

Filter Blog

By date:
By tag: