Share This:

Security researchers Raphaël Arrouas and Stephane Grundschober have identified a critical unauthenticated Remote Code Execution (RCE) vulnerability in BMC Remedy Mid Tier (CVE-2019-12740).

 

Mid Tier versions 9.1, 18.05, 18.08, and 19.02, service packs, and patches, are all affected by this vulnerability.

 

Perform the following steps to resolve this issue:

  1. Ensure that the base version of Mid Tier is as follows:
    • For Mid Tier version 9.1—Base version must be Patch 1 for 9.1 Service Pack 3 (9.1.03.001) or Patch 2 for 9.1 Service Pack 4 (9.1.04.002)
    • For Mid Tier version 18.05—Base version must be 18.05 or Service Pack 5 for version 18.05 (18.05.005)
    • For Mid Tier version 18.08—Base version must be Service Pack 1 for version 18.08 (18.08.01)
    • For Mid Tier version 19.02—Base version must be 19.02
  2. Download the hot fix from ftp://ftp.bmc.com/pub/ARRecommendedFixes/Midtier.
  3. Deploy the hot fix as described in the Readme file provided with each hot fix bundle.
  4. Edit the web.xml file located in the <midTierInstallDirectory>/WEB-INF directory. For information about the steps to be followed, see the Additional Instructions section in the Readme files.

 

 

For any additional questions, please open a Support case.

 

Many thanks to both researchers for responsibly disclosing this vulnerability and cooperating with BMC for a speedy resolution.