Skip navigation
Share This:

Link to the NVD detail: https://nvd.nist.gov/vuln/detail/CVE-2020-1938

 

Published on the 2020-02-24, this vulnerability is about a serious file read/inclusion (Local File Inclusion, LFI) vulnerability on the Apache JServ Protocol  (AJP) Tomcat connector leading to potential Remote Code Execution (RCE). Running by default on TCP port 8009, AJP is a binary protocol designed to handle requests sent to a web server destined for an application server in order to improve performance. Vulnerable Tomcat versions and available fixes from Apache are:

 

Affected Apache Version
Fixed version
Apache Tomcat 9.0.30 and below9.0.31
Apache Tomcat 8.5.50 and below8.5.51
Apache Tomcat 7.0.99 and below7.0.100

 

 

Some BMC products are using a vulnerable version of Apache Tomcat. If enabled, please ensure the AJP Connector contains the "requiredSecret" attribute in the Tomcat /conf/server.xml file, the "secret" attribute, which is like a password, so its value needs to be strong and unique, and the "address" attribute, set to "localhost".

 

For example, change:

 

    <!-- Define an AJP 1.3 Connector on port 8009 -->

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

 

To:

 

    <!-- Define an AJP 1.3 Connector on port 8009 -->

    <Connector port="8009" address="localhost" requiredSecret="true" secret="strong and unique password" protocol="AJP/1.3" redirectPort="8443" />

 

The "secret" attribute must also be specified in each worker that needs to connect to Tomcat. For example, if using Apache, it has to be defined in the "mod_proxy_ajp" configuration file.

 

You can also add some firewall protection in place on the connector port, to allow local connections only (or connections from trusted sources if needed), depending on the services running on your Tomcat instance.

 

BMC is working on upgrading Tomcat to the fixed version. Meanwhile it is recommended to implement the above mentioned configuration change which will mitigate this vulnerability.

Share This:

BMC Software has identified and fixed Mid Tier vulnerabilities including remote Code Execution and Reflected Cross-site Scripting.

 

Remedy Mid Tier 9.0, 9.1, 18.05, 18.08, 19.02, and 19.08, all versions, service packs, and patches are affected by these vulnerabilities.

 

No action is required for SaaS customers (Remedy OnDemand / BMC Helix ITSM).

 

For more information about these issues and the resolution, see the following links:

 

 

Thanks to Raphaël Arrouas and Stephane Grundschober for responsibly disclosing some of these vulnerabilities to BMC.

Share This:

BMC Software has identified an unauthenticated Remote Code Execution security vulnerability CVE-2019-16755 (CVSS v3 score 10.0) in BMC Digital Workplace and Remedy with Smart IT. Thank you to Jerome Nokin (NATO NCIA / NCIRC) for his responsible disclosure.

 

BMC Digital Workplace 3.x and 18.x releases, associated service packs, and patches are affected by this vulnerability.
No action is required if you are using BMC Digital Workplace 19.02 or later.

 

Remedy with Smart IT 1.x, 2.0, 18.05, 18.08, and 19.02 releases, associated service packs, and patches are affected by this vulnerability.
No action is required if you are using Remedy with Smart IT 2.0 Patch 2 or Remedy with Smart IT 19.08.

 

No action is required for SaaS customers. This refers to Remedy as a Service (RaaS), Helix ITSM, or BMC Helix Digital Workplace.

Hot fix available
A hot fix is currently available for all affected versions of BMC Digital Workplace and Remedy with Smart IT. BMC strongly recommends that customers apply this hot fix.

The hot fixes for the affected versions are available at the following links:

  • BMC Digital Workplace
  • For version 3.3 or earlier, you must upgrade to version 3.3.02 before applying the hot fix.
  • Remedy with Smart IT
  • For versions 1.4 or earlier, you must upgrade to version 2.0 Patch 2. Please contact BMC Support if you require a fix for versions 1.5, 1.5.01, or 1.6.

Upgrade required for Remedy with Smart IT?

  • Remedy with Smart IT 2.0 Patch 1 requires you to upgrade to Smart IT 2.0 Patch 2. This version is not affected by the security vulnerability.
  • Remedy with Smart IT 18.05 requires an install of Patch 5 prior to applying the security vulnerability hot fix.
  • Remedy with Smart IT 18.08 requires an install of Patch 1 prior to applying the security vulnerability hot fix.
  • Remedy with Smart IT 19.02 requires an install of Patch 1 prior to applying the security vulnerability hot fix.

Upgrade required for BMC Digital Workplace?

  • BMC Digital Workplace 3.3.02, 3.4.00, or 3.5.00 do not require any upgrade, you can directly apply the security vulnerability hot fix.
  • BMC Digital Workplace 18.02, 18.05, 18.08, or 18.11 do not require any upgrade, you can directly apply the security vulnerability hot fix.
Share This:

Security researchers Raphaël Arrouas and Stephane Grundschober have identified a critical unauthenticated Remote Code Execution (RCE) vulnerability in BMC Remedy Mid Tier (CVE-2019-12740).

 

Mid Tier versions 9.1, 18.05, 18.08, and 19.02, service packs, and patches, are all affected by this vulnerability.

 

Perform the following steps to resolve this issue:

  1. Ensure that the base version of Mid Tier is as follows:
    • For Mid Tier version 9.1—Base version must be Patch 1 for 9.1 Service Pack 3 (9.1.03.001) or Patch 2 for 9.1 Service Pack 4 (9.1.04.002)
    • For Mid Tier version 18.05—Base version must be 18.05 or Service Pack 5 for version 18.05 (18.05.005)
    • For Mid Tier version 18.08—Base version must be Service Pack 1 for version 18.08 (18.08.01)
    • For Mid Tier version 19.02—Base version must be 19.02
  2. Download the hot fix from ftp://ftp.bmc.com/pub/ARRecommendedFixes/Midtier.
  3. Deploy the hot fix as described in the Readme file provided with each hot fix bundle.
  4. Edit the web.xml file located in the <midTierInstallDirectory>/WEB-INF directory. For information about the steps to be followed, see the Additional Instructions section in the Readme files.

 

 

For any additional questions, please open a Support case.

 

Many thanks to both researchers for responsibly disclosing this vulnerability and cooperating with BMC for a speedy resolution.

Share This:

NOTE: This vulnerability is only applicable to AR System on Linux servers.

 

BMC Software has identified a security vulnerability (CVE-2018-19647) that could allow a remote, unauthenticated attacker to gain arbitrary code execution as the system user running the arplugin service. The exposure is limited to scenarios where an attacker is on the same network as the Remedy AR System and can bypass standard network-based defenses such as firewalls. For Remedy AR System 9.x and 18.x, all versions, service packs, and patches are affected by this vulnerability. BMC strongly recommends that customers who have installed Remedy AR System 9.x or 18.x apply this hot fix. Hot fixes for the affected versions are available at the following links:

 

 

PREREQUISITES: Customers on Remedy AR System 9.1.04 must apply patch 002 (9.1.04.002) before applying the hot fix if they have not already applied it. Customers on Remedy AR System 9.1.03 must apply patch 001 (9.1.03.001) before applying the hot fix if they have not already applied it. Customers on Remedy AR System 9.1.02 must apply patch 004 (9.1.02.004) before applying the hot fix if they have not already applied it. There are no prerequisites for installation on Remedy AR System 18.05 or 18.08.

 

Thanks to François Goichon from the Google Security Team for identification of this problem.

Filter Blog

By date:
By tag: