Skip navigation
1 2 Previous Next

Application Security News

19 posts
Share:|

On September 5th, 2017, the Apache team published a security bulletin for Apache Struts 2. It describes a vulnerability caused by the REST plugin using an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.

 

To-date, the BMC Application Security team has scanned all of our products and discovered only one product that uses Struts 2. Service Level Management (SLM) implements Struts 2, but does not use the vulnerable REST plugin. Though SLM does not use the impacted jar, customers can remove the Struts REST plugin on their own. SLM SP4 will include a patched version of Struts 2, but in the meantime workaround details can be found in Apache's security bulletin.

 

Security is our top priority and we are committed to staying on top of vulnerability management and threat intelligence.

 

Please subscribe to this blog post to be notified of updates. If you have any questions please leave them in the comments below or email us at AppSec@bmc.com.

Share:|

Last updated: April 4th, 2017 2:25pm (PDT)

 

On March 7th, 2017 the Apache team published a security bulletin for Apache Struts 2. It describes a possible remote code execution vulnerability when performing file upload based on Jakarta Multipart parser.

 

The BMC Application Security is investigating whether any BMC products are impacted by this vulnerability.

 

The table below will be updated periodically to reflect our findings. Please subscribe to this blog post to be notified of updates.

 

BMC Products that do NOT include Struts 2BMC Products that include Struts 2
BMC Atrium Orchestrator (BAO)BMC Service Level Management (SLM):
The SLM Collector Admin UI uses Struts2, however it does not use File Upload based on Jakarta Multipart Parser and is therefore not vulnerable to CVE-2017-5638
BMC Client Management (BCM formerly Footprints Asset Core)
BMC Cloud Lifecycle Management (CLM)
BMC Control-D
BMC Control-M
BMC Database Automation (BDA and BDSDA)
BMC Decision Support for Server Automation (BDSSA)
BMC Discovery (formerly ADDM)
BMC Impact Manager
BMC Innovation Suite
BMC MyIT
BMC Network Automation (BNA and BDSNA)
BMC Pathway Policy Service
BMC Real End User Experience Monitoring (Real EUEM)
BMC Release Lifecycle Management (RLM including RPD and RPM)
BMC Remedy IT Service Management Suite (ITSM)
BMC Remedy Mid-Tier
BMC Remedy Platform
BMC Server Automation (BSA)
BMC Service Request Management (SRM)
BMC SmartIT
BMC TrueSight App Visibility Manager
BMC TrueSight Capacity Optimization (TSCO)
BMC TrueSight Infrastructure Management (TSIM including BPPM)
BMC TrueSight Infrastructure Management (TSIM) - PATROL Agent
BMC TrueSight Infrastructure Management (TSIM) - PATROL Repository
BMC TrueSight Intelligence
BMC TrueSight IT Data Analytics (ITDA)
BMC TrueSight Middleware Administrator (TSMA)
BMC TrueSight Middleware Transaction Monitor (TMTM)
BMC TrueSight Presentation Server (TSPS)
BMC TrueSight Pulse

BMC TrueSight Synthetic Monitor

Share:|

Stephen Hawking, referring to the ancient philosophical paradox of infinite regress, writes in his 1988 book "A Brief History of time" (ISBN 978-0-553-05340-1):

 

A well-known scientist (some say it was Bertrand Russell) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said: "What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise." The scientist gave a superior smile before replying, "What is the tortoise standing on?" "You're very clever, young man, very clever," said the old lady. "But it's turtles all the way down!"

 

I am occasionally asked (typically after an information assurance or IT security group runs an environment scan) why it is that there are clear text passphrases stored in an Apache Tomcat server.xml files. A common security best practice is to keep secrets, well um, secret. How is it, I am asked, that a passphrase used to unlock a keystore that houses sensitive private keys used for secure HTTPS connections is so clearly visible in a configuration file?

 

This is a good question and one that has been debated quite a lot. And my honest answer is - we haven't been able to figure out anything that provides more adequate protection. The reality is that when you encrypt data in a way that enables you to retrieve the original value through decryption you need to use a key (or in the case of Apache Tomcat a passphrase that is used to derive a key that encrypts the keystore). The problem is where and how to secure that key? There are a few approaches we could take:

  1. Don't store it. Prompt a person for it every time you need it.
    Problem: this does not scale nor is it automatic. Multiple servers that need to be spun up and/or restarted frequently cannot rely on human interaction.
  2. Encrypt it and store it (a common suggestion).
    Problem: if I encrypt the passphrase I will need to use yet another key. How do I protect this new key? Turtles all the way down...
  3. Scramble / encode / hide it / hardcode the key.
    Problem: Any form of obfuscation will (a) be shared among all installations of our software, and (b) can be discovered through reverse engineering or less nefariously by the original author of said obfuscation telling someone about it. Once the obfuscation is made public (as often happens) it is just as exposed as the original clear text passphrase.
  4. Store it in a secure hardware-based vault.
    Problem: Those are expensive and unless you have invested in one to solve the greater issues of enterprise key and credential management it is likely overkill.

 

The question then remains: what can you do to protect this clear text passphrase from unauthorized disclosure? There are a set of best practices described both by OWASP and Apache on protecting the server.xml file. The two that I most often recommend are:

  1. Use file level access control or permissions to restrict access to server.xml to the service user running Apache Tomcat.
  2. Monitor server.xml for unauthorized access.

 

I think most security practitioners will agree that security through obscurity is not a good approach as it provides a false sense of security. However, something about leaving clear text passwords in a configuration file just doesn't feel great either. Have you come up with an approach that gives you the proverbial "warm fuzzies"? I would love to hear about it if you have.

Share:|

Latest details from BMC

Last Updated: March 10, 2016 12:40PM CST

 

On March 1, 2016, the OpenSSL Software Foundation released a security advisory detailing seven vulnerabilities and a new attack, referred to as the Decrypting RSA with Obsolete and Weakened eNcryption (DROWN) attack. Of the seven vulnerabilities posted, three are related to the DROWN attack. DROWN exploits weaknesses in SSL version 2 (SSLv2) to enable an attacker to collect and decrypt TLS sessions. A successful attack requires the ability to collect traffic for a server that supports both TLS and SSLv2.

 

Environments that have been configured to disable SSLv2 as well as export grade ciphers are not vulnerable to DROWN. Therefore if you have performed steps to mitigate both the TLS Logjam and POODLE attacks - you are not vulnerable. Additionally, the attack is further deflected by ensuring private certificates are not shared among multiple servers (where one is configured to allow SSLv2 and the other is not).

The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL DROWN vulnerability. Although they might not be vulnerable to the attack (not used for TLS, or SSLv2 disabled), they have patches or remediation advice available.
Products Which Include Affected OpenSSLRemediation / Patches
BMC MainView Console Automation for zEnterpriseMainView Console Management Cumulative SSL Security Patch 2016.03.07 is available for download on BMC Electronic Product Distribution (EPD).
BMC Discovery (previously ADDM)See BMC Discovery blog in communities.

BMC Control-M/Enterprise Manager

BMC Control-M/Server

BMC Control-M/Agent

V8 and V9

V7

  • Use different private key for each server
The products listed in Table 2 below either do not include OpenSSL libraries or are unaffected by the DROWN vulnerability.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium Orchestrator
BMC Cloud Lifecycle Management
BMC Decision Support for Database Automation

 

BMC Decision Support for Network Automation
BMC MainView for z/OS solutions
BMC IMS for z/OS solutions
(all products and versions)

 

BMC DB2 for z/OS solutions
(all products and versions)
BMC Middleware Automation
BMC TrueSight Middleware Administration

BMC Middleware Management -

Transaction Analytics for WebSphere MQ (StatWatch)

 

BMC Release Process Manager
BMC BladeLogic Client Automation
BMC BladeLogic Portal
BMC AppSight
BMC Identity Management
BMC IT Business Management
BMC Network Automation
BMC Service Desk Express
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC TrueSight Capacity Optimization prior to v10.5
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy
BMC Cost Analyzer for zEnterprise
BMC Intelligent Capping for zEnterprise
BMC Subsystem Optimization for zEnterprise
BMC Capacity Optimization for Mainframes

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL DROWN vulnerability.
Share:|

A couple of critical broken authentication vulnerabilities were disclosed to BMC by ERNW Gmbh (an independent research company) and they will be disclosed publicly at the Troopers 2016 conference in Heidelberg on March 16th, 2016. These vulnerabilities allow remote unauthorized access to Linux/Unix RSCD agents using the agents’ RPC API. Windows agents are not affected. For more-detailed information, please see the following Flash Notification.

 

Due to the severity of these findings BMC has published a Knowledge Article with patching information as well as general recommendations for reducing the likelihood of successful exploitation. We strongly recommend that BSA customers follow the instructions within.

Share:|

A security authentication vulnerability involving LDAP authentication was found. This vulnerability allows unauthorized access to the EM GUI server by using the EMAPI. Due to the severity of this vulnerability, BMC has published a knowledge article (requires login) with patching and/or workaround information. We strongly recommend that Control-M customers using LDAP authentication follow the instructions within.

Share:|

Latest details from BMC

Last Updated: February 29, 2016 04:40PM CST

 

BMC Software’s Application Security team is investigating the impact that the OpenSSL security advisory published on January 28th has on the security posture of BMC products and services. The advisory includes a high severity vulnerability (CVE-2016-0701) that can potentially enable attackers to obtain private encryption keys and decipher encrypted communication. It only affects OpenSSL versions in the 1.0.2 branch.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2016-0701 vulnerability.
Products Which Include Affected OpenSSLRemediation / Patches
BMC Client Management (BCM) - formerly Footprints Asset Core

v.11.7.0 - patch estimated February 19, 2016

v.12.0 - patch estimated February 26, 2016

v.12.1.0 - patch estimated March 4, 2016

BMC Release Package and Deployment (RPD)Patch estimated March 1, 2016
BMC TrueSight Capacity Optimization 10.5Patch estimated March 1, 2016
Borland Silk Performer Synthetic Transaction MonitoringPatch (10.5 release) estimated May 15, 2016
BMC Patrol for LinuxPatch estimated September 15, 2016
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2016-0701 vulnerability.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium OrchestratorBMC Control-M (Server, Agent, Enterprise Manager, and AFT). See article here.
BMC Cloud Lifecycle ManagementBMC Footprints Service Core 11
BMC Decision Support for Database Automation

BMC MainView Console Automation for zEnterprise.

(Advisory: MainView Console Management Cumulative SSL Security Patch 2016.01.29 available for download on BMC Electronic Product Distribution site)

BMC Decision Support for Network AutomationBMC MainView SecureHMC
BMC MainView for z/OS solutionsBMC Server Automation (BSA)
BMC IMS for z/OS solutions
(all products and versions)

BMC Remedy AR System and ITSM Suite 7.6.04, 8.0, 8.1

BMC Remedy AR System and ITSM Suite 9.0, 9.1

BMC DB2 for z/OS solutions
(all products and versions)
BMC Remedy AR System 8.8
BMC Middleware AutomationBMC Atrium Discovery and Dependency Management (ADDM)
BMC TrueSight Middleware AdministrationBMC TrueSight Middleware Transaction Monitor (TMTM)

BMC Middleware Management -

Transaction Analytics for WebSphere MQ (StatWatch)

BMC TrueSight Pulse

BMC TrueSight Intelligence

BMC Release Process ManagerBMC Transaction Management Application Response Time (TMART)
BMC BladeLogic Client AutomationBMC Real End User Experience Monitoring
BMC BladeLogic PortalBMC TrueSight Infrastructure Management
BMC AppSightBMC PATROL Agent
BMC Identity ManagementBMC Performance Manager Portal
BMC IT Business ManagementBMC Active End User Experience Monitoring
BMC Network AutomationBMC Application Diagnostics
BMC Service Desk Express
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC TrueSight Capacity Optimization prior to v10.5
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy
BMC Cost Analyzer for zEnterprise
BMC Intelligent Capping for zEnterprise
BMC Subsystem Optimization for zEnterprise
BMC Capacity Optimization for Mainframes

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2016-0701 vulnerability.
Share:|

Latest details from BMC

Last Updated: December 12, 2015 12:00PM CST

 

BMC Software’s Application Security team is investigating the impact that the OpenSSL security vulnerabilityannounced on July 9th has on the security posture of BMC products and services. The vulnerability enables attackers to forge a certificate that bypasses the validation mechanism. It only affects OpenSSL versions 1.0.2b/c and 1.0.1n/o.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2015-1793 vulnerability.
Products Which Include Affected OpenSSLRemediation / Patches
BMC MainView Console ManagementPatch MVCM-SSL-150713 is available for download from the BMC Electronic Product Distribution (EPD) site
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2015-1793 vulnerability.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium OrchestratorBMC Client Management (formerly BMC Footprints Asset Core) versions 11.x, 12.x - ship with 1.0.0 thread of OpenSSL.
BMC Cloud Lifecycle ManagementBMC Footprints Service Core 11.6.06 ships with OpenSSL 1.0.1m that is not affected.
BMC Decision Support for Database AutomationBMC Atrium Discovery and Dependency Mapping (ADDM) - see this blog post for details.
BMC Decision Support for Network AutomationBMC Control-M (Server, Agent, Enterprise Manager, and AFT)
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC BladeLogic Server Automation (BSA)
BMC IMS for z/OS solutions
(all products and versions)
BMC BladeLogic Decision Support for Server Automation (BDSSA)
BMC DB2 for z/OS solutions
(all products and versions)
BMC Remedy AR System
BMC Middleware AdministrationBMC Remedy IT Service Management Suite (ITSM)
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)
BMC BladeLogic Client Automation
BMC BladeLogic Portal
BMC AppSight
BMC Identity Management
BMC IT Business Management
BMC Network Automation
BMC Service Desk Express
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC Performance Manager Portal
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy
BMC Cost Analyzer for zEnterprise
BMC Intelligent Capping for zEnterprise
BMC Subsystem Optimization for zEnterprise
BMC Capacity Optimization for Mainframes

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2015-1793 vulnerability.
Share:|

Latest details from BMC

Last Updated: April 27, 2016 5:55 PM CDT

 

BMC Software’s Application Security team is investigating the impact that the Apache Commons Library deserialization vulnerability has on the security posture of BMC products and services. The vulnerability has been described by various parties in multiple places (see FoxGlove Security's post and the darkreading article for examples) and enables code execution via the InvokerTransformer class.

The vulnerability has been assigned more than one CVE-ID via inclusion in products released by IBM (CVE-2015-7450) and Oracle (CVE-2015-4852).

We will post updates to this webpage with our findings.

 

Products that include InvokerTransformer class
Remediation / Patches
BMC Atrium Orchestrator (BAO)

Neither the vulnerable class nor the Commons Collections serialization/deserialization are used in the BAO code base.

The vulnerable library has been upgraded in the 7.8.02 release of BAO.
To manually upgrade the Commons Collections library follow the instructions in this article.

BMC Network Automation (BNA)A patch is estimated to be available December 15, 2015
BMC BladeLogic Middleware Automation (BMA)A patch is estimated to be available December 15, 2015
BMC BladeLogic Server Automation (BSA)The BMC BladeLogic Server Automation (BSA) solution includes the affected Apache Commons Collections library.  However, it is not used directly in the BSA codebase. Nonetheless, a hot fix that patches the affected library is expected to be released by Jan 31, 2016.
BMC BladeLogic Decision Support for Server Automation (BDSSA)The product does not accept and deserialize Java objects from untrusted sources. As a precaution the Apache Commons Collections library will be upgraded in the next release of BDSSA (8.8)
BMC BladeLogic PortalA patch is estimated to be available by December 31, 2015
Control-M Agent v.8 and v.9

Only used in command line utilities available on agent machines.
Patches for the Control-M Agent are available:

  • V.9 FP1 see release notes.
  • V.8 FP5 estimated to be available by May 15, 2016.

In the interim please refer to this article for directions on how to manually update the commons-collections.jar on the agent machines.

Control-M Application Integrator 8.0.00.000 / 8.0.00.100A patch (fix pack 2) is available. See release notes.

BMC TrueSight Middleware Administrator

BMC TrueSight Middleware Monitor

BMC TrueSight Middleware Transaction Monitor

The vulnerable class is included, however it is not used.

Patches are estimated to be available by December 18, 2015

BMC TrueSight Capacity Optimization (BCO / TSCO)

Patches are available for direct download:

  • 10.0: fix is included starting from 10.0.00.02.C00006 released on December 15, 2015. Follow this link to obtain the latest cumulative hotfix released for version 10.0
  • 10.3: fix is included starting from 10.3.00.01.C00004 released on December 22, 2015. Follow this link to obtain the latest cumulative hotfix released for version 10.3
BMC TrueSight Transaction Management Application Response Time (TM ART)

A knowledge article has been published.

A patch is available for direct download here.

Version 4.2 SP4 will be available on BMC Electronic Product Distribution (EPD) on February 29, 2016

BMC Remedy AR System and ITSM Suite 7.6.04

BMC Remedy AR System and ITSM Suite 8.0

BMC Remedy AR System and ITSM Suite 8.1

BMC Remedy AR System 8.8

BMC Remedy AR System and ITSM Suite 9.0

InvokerTransformer is not used and not impacted
BMC SmartIT

BMC MyIT

Hotfixes are available on BMC Electronic Product Distribution (EPD):

MyIT 2.2.00_Hotfix_03022016

MyIT 2.5.00_Hotfix_03022016

MyIT 2.6.00_Hotfix_03022016

MyIT 3.0.00_Hotfix_03022016

BMC Performance Manager PortalA patch is available for direct download here.
BMC TrueSight Infrastructure Management (TSIM) 9.5,9.6

9.6 patch estimated March 4, 2016

9.5 patch estimated March 11, 2016

BMC TrueSight Infrastructure Management (TSOM) 10.0,10.110.0 and 10.1 patches estimated March 11, 2016
BMC Atrium Single Sign On (ASSO) 8.1, 8.8, 9.0Hotfixes available. Please contact customer support.
BMC Discovery (previously ADDM)A vulnerable version of the class is included, however it is not used or exposed. As a precaution, the Apache Commons Collections library will be upgraded in all supported releases. Fixes are estimated to be available by April 30, 2016.
The products listed in Table 2 below do not include the InvokerTransformer class and are therefore not vulnerable to the deserialization issue.
Products that do not include InvokerTransformer class
BMC Database Automation (BDA)

BMC Release Package and Deployment (RPD)

BMC Release Process Managament (RPM)
BMC Patrol
BMC TEA Agent
BMC Control-M Self Service
BMC Control-M Batch Impact Manager
BMC Control-M Workload Change Manager
BMC Control-M for SAP Business Objects
BMC zSeries Solutions (none affected)
BMC Middleware Administration (BMA)
BMC TrueSight Middleware and Transaction Monitor
BMC TrueSight IT Data Analytics
BMC Real End User Experience Monitoring
BMC TrueSight App Visibility Manager Server / Agent
BMC Patrol
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software (Synthetic-EUEM) 15.0
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software 16.X
BMC Remedy Single Sign On (RSSO)

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Share:|

Latest details from BMC

Last Updated: August 14, 2015 16:20 PM CDT

 

BMC Software’s Application Security team has investigated the impact that the SHOTPUT Adobe Flash Vulnerability (CVE-2015-3113) has on the security posture of BMC products and services.

We have not found any BMC products that embed or ship Adobe Flash. Thus they do not include this vulnerability. There are BMC products that rely on the existence of the Adobe Flash browser plugins, however those plugins can be safely upgraded and we urge you to do so.

Share:|

Latest details from BMC

Last Updated: September 2, 2015 11:00 AM CDT

 

BMC Software’s Application Security team is investigating the impact that the Logjam Attack (CVE-2015-4000) described by a group of researchers in a dedicated website on May 20th has on the security posture of BMC products and services.

We will post updates to this webpage with our findings.

In the interim we suggest that you follow the instructions provided by the researchers who discovered the attack to minimize your exposure.

 

Products Affected by CVE-2015-4000Remediation / Patches
BMC Atrium Discovery and Dependency Mapping (ADDM)See the product documentation for details

BMC Bladelogic Server Automation (BSA) 8.6 SP1

BMC Bladelogic Decision Support for Server Automation (BDSSA)

See this article for remediation instructions.
Cloud Lifecycle Manager (CLM) (not including underlying Remedy AR platform)

See this blog post for remediation instructions

The next patch will include the required configuration changes.

BMC Atrium Orchestrator (BAO)

There is currently no feasible workaround in existing versions.

Release 7.8.01 will no longer be affected.

BMC Release Package and Deployment (RPD) prior to Version 4.4 patch 10

See this document for remediation instructions.

Versions 4.4 patch 10 and above are no longer impacted.

BMC Release Lifecycle Management (RLM) See RPD, RPM and BSA
BMC Workload Automation (Control-M)See this article for remediation instructions.
BMC Remedy AR System and ITSMSee this article for remediation instructions
Entuity Network Monitoring for BMC TrueSight Operations ManagementThere is no Logjam flaw in the Entuity solution itself. Please contact BMC Customer Support for instructions on configuration changes that will reject certificates with insecure ciphers.
BMC Footprints Service CoreFor version 12 see this article. For versions 11.x contact BMC Customer Support.
The products listed in Table 2 below are unaffected by CVE-2015-4000.
Products that are unaffected by CVE-2015-4000
BMC Client Management (BCM) (previously Footprints Asset Core)
BMC Bladelogic Decision Support for Network Automation
BMC Bladelogic Decision Support for Database Automation
BMC Bladelogic Network Automation (BNA)
BMC Bladelogic Database Automation (BDA)
BMC Release Process Management (RPM)
BMC Middleware Administration (BMA)
BMC Data Center Automation Portal (DCA Portal)
Borland Silk Performer for TrueSight Operations Management
BMC TMART 4.2 SP3
AVNET (previously Seamless Technologies Event Integration for BMC ProactiveNet Performance Management)
BMC Mobile Device Management (MDM) (airwatch)
BMC AppSight
BMC BladeLogic Client Automation
BMC Identity Management
BMC IT Business Management
BMC Storage Data Management
Share:|

Last Modified at 2:30AM CT, March 30, 2015

Latest details from BMC

 

The products below ship with a node.js server that is statically linked with a version of OpenSSL that if used for TLS communication may be vulnerable to CVE-2014-0160 (Heartbleed). We have reviewed the use of node.js within the products below and found that it is not exploitable in this context.

Products which include MongoDBRemediation / Patching
BMC MyIT
BMC SmartIT
See this support article for a detailed explanation of why the products are not vulnerable to CVE-2014-0160.
Share:|

Latest details from BMC

Last Updated: December 7, 2015 3:00PM CST

 

BMC Software’s Application Security team is investigating the impact that multiple OpenSSL security vulnerabilities announced on March 19th have on the security posture of BMC products and services. Of the 14 vulnerabilities described, two were classified as high severity cases: CVE-2015-0204 and CVE-2015-0291.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2015-0204 and/or CVE-2015-0291 vulnerabilities.
Products Which Include Affected OpenSSLRemediation / Patches
BMC Atrium Discovery and Dependency MappingSee article in BMC Communities
BMC Footprints Service Core 11.6.05 and priorPatch released (see this article for details). Upgraded version of OpenSSL is included in release 11.6.06
Borland Silk Performer for TrueSight Operations Management 15.5.10Addressed in Borland Silk Performer for TrueSight Operations Management 15.5.60 available on BMC Electronic Product Distribution (EPD)
BMC TMART 4.2 SP2Addressed in BMC TMART 4.2 SP3 available on BMC Electronic Product Distribution (EPD)
BMC Application Diagnostics 2.6.10Addressed in 2.6.15 and 2.7.01 available on BMC Electronic Product Distribution(EPD)
Entuity Network Monitoring for BMC TrueSight Operations Management V14.0, V14.5 and V15.0Patches available from the Entuity web site

 

Please contact BMC Customer Support for access credentials
BMC Database Automation (BladeLogic)Patch estimated May 31, 2015
BMC Release Package and Deployment (RPD)Patch estimated May 31, 2015
BMC Release Lifecycle managementSee RPD, RPM and BSA
BMC Workload Automation (Control-M)See this article for details
BMC MainView Console Management 3.2.1 and priorUpgrade to release 3.2.2 or install Cumulative SSL Security patch 2015.04.21
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2015-0204 and CVE-2015-0291 vulnerabilities.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium OrchestratorBMC Client Management (formerly BMC Footprints Asset Core) versions 11.x, 12.x - ship with 1.0.0 thread of OpenSSL with export ciphers disabled. Will upgrade to latest release of OpenSSL 1.0.0 thread in version 12.1 - planned for October 2015
BMC Cloud Lifecycle ManagementBMC Performance Manager Portal 2.11.0 - ships with export ciphers disabled
BMC Decision Support for Database AutomationBMC TrueSight Infrastructure Management (formerly BMC Proactivenet Performance Management Suite) 9.5 and 9.6 - ship with export ciphers disabled
BMC Decision Support for Network AutomationBMC Bladelogic Decision Support for Server Automation 8.3.02 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.3.03 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.5 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.5.01 (Windows + Linux + Solaris)
BMC MainView Console Management 2.12 and priorBMC Bladelogic Decision Support for Server Automation Unix (Linux + Solaris) 8.2, 8.2.01, 8.2.02
BMC Bladelogic Decision Support for Server Automation Unix (Linux + Solaris) 8.2.03, 8.2.04,  8.3, 8.3.01
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC Bladelogic Decision Support for Server Automation Windows 8.2.02, 8.2.03, 8.2.04, 8.3, 8.3.01
BMC IMS for z/OS solutions
(all products and versions)
BMC Release Process Management (RPM)
BMC DB2 for z/OS solutions
(all products and versions)
BMC Server Automation (BladeLogic) (BSA)
BMC Middleware Administration(old name) BMC Capacity Optimization and Performance Assurance
TrueSight Capacity Optimization
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC BladeLogic Client AutomationBMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC BladeLogic PortalBMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC AppSightBMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC Identity ManagementBMC Real End User CloudProbe
BMC IT Business ManagementBMC MyIT (see this page for additional details)
BMC Network AutomationBMC SmartIT (see this page for additional details)
BMC Service Desk ExpressBMC Remedy AR System and ITSM Suite (see this article for details)
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC Performance Manager Portal
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2015-0204 and CVE-2015-0291 vulnerabilities.
Share:|

Last Modified at 1:15PM CT, February 19, 2015

Latest details from BMC

 

Recent research published by three students at Saarland University in Germany shows that a large number of MongoDB databases all over the globe have been misconfigured; this allows unauthenticated remote access to sensitive information.

 

BMC Software’s Application Security team has investigated the impact that the MongoDB security configuration vulnerability (described here) has on the security posture of BMC products and services.

 

The products below ship with a MongoDB database and if configured incorrectly might be vulnerable to the attacks described above. We recommend that our customers take the necessary steps to configure their MongoDB deployments securely as documented in the MongoDB manuals.

Products which include MongoDBRemediation / Patching
BMC MyIT
BMC SmartIT
See this support article for instructions on configuring MongoDB in a secure fashion.
Share:|

Last Modified at 04:30AM CT, February 5, 2015

Latest details from BMC

 

BMC Software’s Application Security team has investigated the impact that the CVE-2015-0235 (a.k.a. “GHOST”) vulnerability has on the security posture of BMC products and services.

As this flaw stems from the glibc function and manifests itself via the gethostbyname() function, we have not found it to be exploitable in any BMC products. However, the products listed below ship with Linux operating systems and are therefore affected by the CVE-2015-0235 vulnerability.
We recommend that our customers take the necessary steps to prevent exploitation of CVE-2015-0235 either by patching their Linux operation systems or by configuring appropriate IPS signatures.

Products which include a vulnerable OSRemediation / Patching
BMC Atrium Discovery and Dependency Mapping - all versions
BMC Atrium Discovery and Dependency Mapping Proxy - all versions
The latest OS update includes an updated version of the glibc function.
BMC Real End User Experience Monitoring
BMC Real End User Experience Monitoring Hardware Collector
BMC TrueSight End User Monitor
A device patch and product specific knowledge article are expected by February 28, 2015.

Filter Blog

By date:
By tag: