Recently, BMC Software has identified a security vulnerability (CVE-2018-19647) that could allow a remote, unauthenticated attacker to gain arbitrary code execution as the system user. The exposure is limited to scenarios where an attacker is on the same network as Remedy AR System and has the capability to bypass standard network based defenses such as firewalls. Full advisory can be found here.
All service packs and patches of Remedy AR System 8.x, 9.x and 18.x versions are affected by this vulnerability.
Within the BMC SaaS boundary, the affected service (AR Plug-in) is not directly accessible via the Internet -- only via authorized internal network connections in which the service is explicitly permitted. In addition, each customer AR system is dedicated and not shared with any other customers. Furthermore, the AR Plug-in service does not run as a privileged user in all current versions. These controls and configuration build standards greatly minimizes exposure, ability to execute remote code, and potential for exploitation.
After further review, BMC Information Security, Remedy and SaaS Operations teams have reviewed this vulnerability and how it affects BMC subscription services. It is our conclusion that due to the mitigations listed above, including proper build standards, network isolation and restrictive access controls, significantly reduces the likelihood and exploitability of this vulnerability. Based on this information, the residual risk in this environment is classified as "low" and will addressed as part of the ongoing release lifecycle.
BMC Information Security teams will continue to update this notice as information is provided or changes to the advisory are required.