Skip navigation
Share This:

The BMC Application Security team is aware of the recent SAML vulnerability reported by Duo Labs and has determined that BMC’s Remedy Single Sign-On (RSSO) system is not affected by this vulnerability.



The Duo Labs site states that for this vulnerability to be exploited, the following must all be true:

  • The SAML response contains strings identifying the authenticating user
  • XML canonicalization removes comments as part of signature validation, allowing comments to be added to a SAML response without invalidating the signature
  • XML text extraction only returns a substring of the element text when comments are present


Because RSSO returns the entire string (without comments) when extracting element text, the third condition is false.


As a result, RSSO is not affected by the SAML vulnerability.


Additional Resources:


Share This:

This customer communication is an update to the message BMC posted on Jan 5th about two major CPU vulnerabilities known as Meltdown and Spectre (


The current known vulnerability variants of Meltdown and Spectre such as bounds check bypass, branch target injection, and rogue data cache load are specific to CPU hardware implementations. Remediation for these variants are currently available from CPU and Operating System (OS) vendors through firmware updates and software patches (details can be found in the US-CERT link below).


For BMC software that is hosted on-premise at customer locations, BMC recommends that those customers follow their internal vulnerability management process and apply the appropriate patches according to vendor guidelines.


In cases where the software is running on BMC-provided OS or application stacks (appliances), BMC is working diligently with OS vendors to apply stable patches where necessary.


For BMC’s SaaS offerings, BMC’s operation teams have been tracking vendors for availability of stable patches and have been applying them to BMC’s SaaS infrastructure as soon as they have become available.


BMC will continue to closely monitor this evolving situation and provide additional details and maintenance notifications as needed.


More information about these vulnerabilities can be found here:

Share This:

Two major vulnerabilities (known as Meltdown, CVE-2017-5754, and Spectre, CVE-2017-5753 & CVE-2017-5715) have been revealed that affect almost all modern CPUs on January 3, 2018. Meltdown allows any application to access all system memory, including memory allocated for the kernel. Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. The vulnerabilities are known to be exploitable on servers, workstations, mobile devices, IoT environments, and browsers.


BMC is aware of these vulnerabilities, and has been working closely with our vendors and product teams to address them on applicable systems and products as soon as patches are available, and in accordance with BMC customer support process.  BMC will continue to closely monitor this evolving situation, and will provide additional details and maintenance notifications, as needed.


More information about these flaws can be found here:

Share This:

An SQL injection vulnerability has been identified in BMC's Remedy Action Request product. This vulnerability can affect the confidentiality and integrity of the application data. BMC has released a hotfix ( to patch this vulnerability. We strongly recommend that BMC customers apply this hotfix to address the vulnerability.


BMC would like to thank Spyridon Chatzimichail ( for responsibly disclosing the vulnerability and helping us to further harden our products.

Share This:

On September 5th, 2017, the Apache team published a security bulletin for Apache Struts 2. It describes a vulnerability caused by the REST plugin using an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.


To-date, the BMC Application Security team has scanned all of our products and discovered only one product that uses Struts 2. Service Level Management (SLM) implements Struts 2, but does not use the vulnerable REST plugin. Though SLM does not use the impacted jar, customers can remove the Struts REST plugin on their own. SLM SP4 will include a patched version of Struts 2, but in the meantime workaround details can be found in Apache's security bulletin.


Security is our top priority and we are committed to staying on top of vulnerability management and threat intelligence.


Please subscribe to this blog post to be notified of updates. If you have any questions please leave them in the comments below or email us at

Filter Blog

By date:
By tag: