
Apache Commons Deserialization Vulnerability
Posted by Stephen Watts
Latest details from BMC
Last Updated: April 27, 2016 5:55 PM CDT
BMC Software’s Application Security team is investigating the impact that the Apache Commons Library deserialization vulnerability has on the security posture of BMC products and services. The vulnerability has been described by various parties in multiple places (see FoxGlove Security's post and the darkreading article for examples) and enables code execution via the InvokerTransformer class. The vulnerability has been assigned more than one CVE-ID via inclusion in products released by IBM (CVE-2015-7450) and Oracle (CVE-2015-4852). We will post updates to this webpage with our findings. |
Products that include InvokerTransformer class | Remediation / Patches |
BMC Atrium Orchestrator (BAO) | Neither the vulnerable class nor the Commons Collections serialization/deserialization are used in the BAO code base. The vulnerable library has been upgraded in the 7.8.02 release of BAO. |
BMC Network Automation (BNA) | A patch is estimated to be available December 15, 2015 |
BMC BladeLogic Middleware Automation (BMA) | A patch is estimated to be available December 15, 2015 |
BMC BladeLogic Server Automation (BSA) | The BMC BladeLogic Server Automation (BSA) solution includes the affected Apache Commons Collections library. However, it is not used directly in the BSA codebase. Nonetheless, a hot fix that patches the affected library is expected to be released by Jan 31, 2016. |
BMC BladeLogic Decision Support for Server Automation (BDSSA) | The product does not accept and deserialize Java objects from untrusted sources. As a precaution the Apache Commons Collections library will be upgraded in the next release of BDSSA (8.8) |
BMC BladeLogic Portal | A patch is estimated to be available by December 31, 2015 |
Control-M Agent v.8 and v.9 | Only used in command line utilities available on agent machines.
In the interim please refer to this article for directions on how to manually update the commons-collections.jar on the agent machines. |
Control-M Application Integrator 8.0.00.000 / 8.0.00.100 | A patch (fix pack 2) is available. See release notes. |
BMC TrueSight Middleware Administrator BMC TrueSight Middleware Monitor BMC TrueSight Middleware Transaction Monitor | The vulnerable class is included, however it is not used. Patches are estimated to be available by December 18, 2015 |
BMC TrueSight Capacity Optimization (BCO / TSCO) | Patches are available for direct download:
|
BMC TrueSight Transaction Management Application Response Time (TM ART) | A knowledge article has been published. A patch is available for direct download here. Version 4.2 SP4 will be available on BMC Electronic Product Distribution (EPD) on February 29, 2016 |
BMC Remedy AR System and ITSM Suite 7.6.04 BMC Remedy AR System and ITSM Suite 8.0 BMC Remedy AR System and ITSM Suite 8.1 BMC Remedy AR System 8.8 BMC Remedy AR System and ITSM Suite 9.0 | InvokerTransformer is not used and not impacted |
BMC SmartIT BMC MyIT | Hotfixes are available on BMC Electronic Product Distribution (EPD): MyIT 2.2.00_Hotfix_03022016 MyIT 2.5.00_Hotfix_03022016 MyIT 2.6.00_Hotfix_03022016 MyIT 3.0.00_Hotfix_03022016 |
BMC Performance Manager Portal | A patch is available for direct download here. |
BMC TrueSight Infrastructure Management (TSIM) 9.5,9.6 | 9.6 patch estimated March 4, 2016 9.5 patch estimated March 11, 2016 |
BMC TrueSight Infrastructure Management (TSOM) 10.0,10.1 | 10.0 and 10.1 patches estimated March 11, 2016 |
BMC Atrium Single Sign On (ASSO) 8.1, 8.8, 9.0 | Hotfixes available. Please contact customer support. |
BMC Discovery (previously ADDM) | A vulnerable version of the class is included, however it is not used or exposed. As a precaution, the Apache Commons Collections library will be upgraded in all supported releases. Fixes are estimated to be available by April 30, 2016. |
The products listed in Table 2 below do not include the InvokerTransformer class and are therefore not vulnerable to the deserialization issue. |
Products that do not include InvokerTransformer class |
BMC Database Automation (BDA) |
BMC Release Package and Deployment (RPD) |
BMC Release Process Managament (RPM) |
BMC Patrol |
BMC TEA Agent |
BMC Control-M Self Service |
BMC Control-M Batch Impact Manager |
BMC Control-M Workload Change Manager |
BMC Control-M for SAP Business Objects |
BMC zSeries Solutions (none affected) |
BMC Middleware Administration (BMA) |
BMC TrueSight Middleware and Transaction Monitor |
BMC TrueSight IT Data Analytics |
BMC Real End User Experience Monitoring |
BMC TrueSight App Visibility Manager Server / Agent |
BMC Patrol |
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software (Synthetic-EUEM) 15.0 |
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software 16.X |
BMC Remedy Single Sign On (RSSO) |
Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available. |
Comments