Share This:

Latest details from BMC

Last Updated: April 27, 2016 5:55 PM CDT

 

BMC Software’s Application Security team is investigating the impact that the Apache Commons Library deserialization vulnerability has on the security posture of BMC products and services. The vulnerability has been described by various parties in multiple places (see FoxGlove Security's post and the darkreading article for examples) and enables code execution via the InvokerTransformer class.

The vulnerability has been assigned more than one CVE-ID via inclusion in products released by IBM (CVE-2015-7450) and Oracle (CVE-2015-4852).

We will post updates to this webpage with our findings.

 

Products that include InvokerTransformer class
Remediation / Patches
BMC Atrium Orchestrator (BAO)

Neither the vulnerable class nor the Commons Collections serialization/deserialization are used in the BAO code base.

The vulnerable library has been upgraded in the 7.8.02 release of BAO.
To manually upgrade the Commons Collections library follow the instructions in this article.

BMC Network Automation (BNA)A patch is estimated to be available December 15, 2015
BMC BladeLogic Middleware Automation (BMA)A patch is estimated to be available December 15, 2015
BMC BladeLogic Server Automation (BSA)The BMC BladeLogic Server Automation (BSA) solution includes the affected Apache Commons Collections library.  However, it is not used directly in the BSA codebase. Nonetheless, a hot fix that patches the affected library is expected to be released by Jan 31, 2016.
BMC BladeLogic Decision Support for Server Automation (BDSSA)The product does not accept and deserialize Java objects from untrusted sources. As a precaution the Apache Commons Collections library will be upgraded in the next release of BDSSA (8.8)
BMC BladeLogic PortalA patch is estimated to be available by December 31, 2015
Control-M Agent v.8 and v.9

Only used in command line utilities available on agent machines.
Patches for the Control-M Agent are available:

  • V.9 FP1 see release notes.
  • V.8 FP5 estimated to be available by May 15, 2016.

In the interim please refer to this article for directions on how to manually update the commons-collections.jar on the agent machines.

Control-M Application Integrator 8.0.00.000 / 8.0.00.100A patch (fix pack 2) is available. See release notes.

BMC TrueSight Middleware Administrator

BMC TrueSight Middleware Monitor

BMC TrueSight Middleware Transaction Monitor

The vulnerable class is included, however it is not used.

Patches are estimated to be available by December 18, 2015

BMC TrueSight Capacity Optimization (BCO / TSCO)

Patches are available for direct download:

  • 10.0: fix is included starting from 10.0.00.02.C00006 released on December 15, 2015. Follow this link to obtain the latest cumulative hotfix released for version 10.0
  • 10.3: fix is included starting from 10.3.00.01.C00004 released on December 22, 2015. Follow this link to obtain the latest cumulative hotfix released for version 10.3
BMC TrueSight Transaction Management Application Response Time (TM ART)

A knowledge article has been published.

A patch is available for direct download here.

Version 4.2 SP4 will be available on BMC Electronic Product Distribution (EPD) on February 29, 2016

BMC Remedy AR System and ITSM Suite 7.6.04

BMC Remedy AR System and ITSM Suite 8.0

BMC Remedy AR System and ITSM Suite 8.1

BMC Remedy AR System 8.8

BMC Remedy AR System and ITSM Suite 9.0

InvokerTransformer is not used and not impacted
BMC SmartIT

BMC MyIT

Hotfixes are available on BMC Electronic Product Distribution (EPD):

MyIT 2.2.00_Hotfix_03022016

MyIT 2.5.00_Hotfix_03022016

MyIT 2.6.00_Hotfix_03022016

MyIT 3.0.00_Hotfix_03022016

BMC Performance Manager PortalA patch is available for direct download here.
BMC TrueSight Infrastructure Management (TSIM) 9.5,9.6

9.6 patch estimated March 4, 2016

9.5 patch estimated March 11, 2016

BMC TrueSight Infrastructure Management (TSOM) 10.0,10.110.0 and 10.1 patches estimated March 11, 2016
BMC Atrium Single Sign On (ASSO) 8.1, 8.8, 9.0Hotfixes available. Please contact customer support.
BMC Discovery (previously ADDM)A vulnerable version of the class is included, however it is not used or exposed. As a precaution, the Apache Commons Collections library will be upgraded in all supported releases. Fixes are estimated to be available by April 30, 2016.
The products listed in Table 2 below do not include the InvokerTransformer class and are therefore not vulnerable to the deserialization issue.
Products that do not include InvokerTransformer class
BMC Database Automation (BDA)

BMC Release Package and Deployment (RPD)

BMC Release Process Managament (RPM)
BMC Patrol
BMC TEA Agent
BMC Control-M Self Service
BMC Control-M Batch Impact Manager
BMC Control-M Workload Change Manager
BMC Control-M for SAP Business Objects
BMC zSeries Solutions (none affected)
BMC Middleware Administration (BMA)
BMC TrueSight Middleware and Transaction Monitor
BMC TrueSight IT Data Analytics
BMC Real End User Experience Monitoring
BMC TrueSight App Visibility Manager Server / Agent
BMC Patrol
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software (Synthetic-EUEM) 15.0
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software 16.X
BMC Remedy Single Sign On (RSSO)

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.