Skip navigation
Share:|

Last Modified at 9:45AM CST, December 10, 2015

Latest details from BMC

 

BMC Software’s Application Security team is investigating the impact that the SSL 3.0 CVE-2014-3566 (a.k.a. “POODLE”) vulnerability has on the security posture of BMC products and services.

The products listed below allow SSL 3.0 connections and are therefore affected by the SSL 3.0 CVE-2014-3566 vulnerability.

Products Which Allow SSL 3.0 ConnectionsRemediation / Patching
BMC Atrium Discovery and Dependency Mapping - all versions
BMC Atrium Discovery and Dependency Mapping Proxy - all versions
Manually disable SSL 3.0 until patches are available that remove SSL 3.0 completely. These will be included in a future OS update.

 

Refer to this blog post for details and instructions
BMC Client Management - versions 11.x and 12.0

 

(formerly BMC FootPrints Asset Core)

BMC will be disabling SSLv3 Support from the BCM agent, permitting only TLS connections (versions 1.0, 1.1 or 1.2). In addition, OpenSSL will be updated to help block any downgrade attack such as Poodle.

 

Please download one of the following Hot Fixes:

 

                        11.5 Hot Fix

 

                        11.6 Hot Fix

                        11.7 Hot Fix

                        12.0 Hot Fix

 


NOTE: If integrating with BMC FootPrints Service Core, the application of the hot fix also requires the latest OpenSSL for the BMC FootPrints Service Core installation. The patch can be obtained from this support article.

BMC MainView Console Management for zEnterprise - all versionsMainView Console Management Cumulative SSL Security Patch 2014.10.16 for versions 3.1-3.2 is available via Electronic Product Distribution.

 

Earlier versions must be upgraded to at least 3.1 before the patch can be applied.
BMC Remedy OnDemand
(Service suite includes hosted instances of:
BMC MyIT
BMC AppZone
BMC Footprints Asset Core)
BMC is in the process of disabling SSL v3.0 across all data centers and service offerings.  To date the following service offerings have been completed:
Commercial - US
Commercial - UK
Commercial - CA
Commercial - AU
Public Sector - US
Public Sector - Federal
BMC Workload Automation (Control-M) versions 6.4.x, 7.0.x, 8.0.xManually disable SSL 3.0 fall back. Refer to this blog post for details and instructions
BMC FootPrints Service Core - version 12.xFootPrints 12.x does not install Java or Tomcat for the customer.  Instead, the customer supplies their own Java and Tomcat installations.

 

See this support article for guidance on upgrading these installations and how to disable SSLv3 in Tomcat.

 

There are no patches necessary.
BMC FootPrints Service Core - versions 11.x, 10.0.2, 9.5.4See this support article for patches to update OpenSSL to 1.0.1j as used by the product in Perl and Tomcat.

 

See this support article for guidance on disabling SSLv3 for versions 11 and newer.
RemedyforceManually disable SSL 3.0 on web browsers.

 

See this article in BMC Communities for details.
Aternity for BMC End User Experience Management Console and Agents (all versions)

 

Aternity for BMC End User Experience Management Dashboards Server (all versions)
For every Aternity node (data warehouse, management server, and EPM) configure the Apache Tomcat XML HTTPs connector by setting the following properties:

 

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
sslprotocol=”TLS“

 

See this article for more details.

 

For the Tableau server, see this article for instructions
BMC Atrium OrchestratorIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC BladeLogic Database AutomationIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

OpenSSL will be upgraded in version 8.6 and back ported to 8.5 in a patch shortly after 8.6 is released.
BMC BladeLogic Decision Support for Database Automation

 

BMC BladeLogic Decision Support for Network Automation
In Apache Tomcat go to “<PATH>\BL-Decision Support\tomcat\conf” directory.

 

Take a backup of the server.xml file.

 

Edit the server.xml replacing sslProtocols=“TLS” with sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2”.

 

Save the file and restart the “BL-Decision Support Web Server” service.
BMC Bladelogic Decision Support for Server Automation (Windows, Unix, and Linux)Upgrade packages are available for BDSSA 8.3.x and 8.5.x. See this article for instructions on obtaining the package for BDSSA.
BMC BladeLogic Middleware AutomationPlease see this article for detailed instructions on disabling SSL 3.0
BMC BladeLogic Network AutomationIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

BNA server and agent communication over RMI uses TLS 1.2 by default. HTTPS communication between BNA agent and network devices is either configured to initiate TLS or to accept the handshake from BNA, which uses TLS.
BMC BladeLogic Server AutomationUpgraded OpenSSL and fixed Java JSSE in BSA 8.5 SP1 Patch 3 and BSA 8.6. A hotfix is available for 8.3.03 (build 190 or higher). Please see this article for instructions on obtaining this hotfix.
BMC Cloud Lifecycle ManagementIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

If HTTPS is enabled for CLM Platform Manager, please contact BMC Customer Support for assistance with Jetty configuration.
BMC DCA Portaln Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Package and DeploymentIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Process Management (DevOps)In Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Lifecycle managementThis is a combination of BMC Release Package and Deployment, BMC Release Process Management, and BMC BladeLogic Server Automation. Please see entries above for individual remediation steps for each.
Entuity Network Monitoring for BMC ProactiveNet Performance Management V14.0 and above
Entuity for BMC TrueSight Operations Management
Entuity Integrator for BMC TrueSight Operations Management
Entuity Network Analyzer for BMC TrueSight Operations Management
Entuity Flow Analyzer for TrueSight Ops
Modify the following Apache configuration files:
<Entuity Home>\install\template\lib\apache\conf\httpd_eye.conf
  From:  ##CONFIGPARSE##    SSLProtocol -ALL +SSLv3 +TLSv1
  To:        ##CONFIGPARSE##    SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 

<Entuity Home>\lib\apache\conf\httpd_eye.conf 
  From:  SSLProtocol -ALL +SSLv3 +TLSv1
  To:        SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 

  Restart Entuity Web Server:
<Entuity Home>\bin\stop webserver

 

The Web Server will automatically restart after stopping.
Entuity Network Monitoring for BMC ProactiveNet Performance Management V10.5 and earlierPlease contact BMC Customer Support for assistance
BMC Capacity Optimization and Performance AssuranceSee this article for detailed remediation steps
BMC Patrol Central Web EditionSee this article for detailed remediation steps
BMC Performance Manager PortalSee this article for detailed remediation steps
BMC Application Transaction TracingPatch available. Please contact BMC Customer Support for assistance.
BMC Middleware AdministrationSee this article for detailed remediation steps
BMC Middleware Management - Administration for WebSphere MQ (AppWatch)See this article for detailed remediation steps
BMC Middleware Management - Performance and Availability
BMC Middleware Management – Transaction Monitoring
BMC Middleware Monitoring
Patches available.
BMC ProactiveNet Performance Management Suite Server 9.0
BMC ProactiveNet Performance Management Suite 9.5
See this article for detailed remediation steps
BMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available. Please contact BMC Customer Support for assistance.
BMC TMART 4.2Please see this article for instructions.
BMC IT Data & AnalyticsBy default, SSL is not enabled.

 

The product documentation for enabling SSL has been updated so that SSLv3.0 is not enabled.
BMC Impact Integration Web Services 7.4.00Please see this article for detailed instructions on disabling SSL 3.0.
MyIT 2.0, MyIT 2.1 and SmartITPlease see this support article for instructions for disabling SSL V3 in Tomcat used by MyIT and SmartIT.
BMC Remedy AR System and ITSM Suite 7.6.04, 8.0, and 8.1See this support article for instructions for disabling SSL V3 in Tomcat used by Mid-Tier.

 

If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server. An LDAP plug-in hotfix to allow the LDAP plug-in to use TLS for communication with LDAP Server is available here.
BMC Remedy AR System 8.8See this support article for instructions for disabling SSL V3 in Tomcat used by Mid-Tier.

 

If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server.
BMC Atrium SSOSee this support article for instructions for disabling SSL V3 in Atrium SSO.
BMC Transaction Management Application Response Time - Infrastructure Edition
BMC Transaction Management Application Response Time - Service Level Edition
See this support article for instructions.
Share:|

Last Modified at 8:80AM CT, November 12, 2014

In reference to the Sept 25, 2014 disclosure of the GNU Bourne Again Shell (Bash) “ShellShock” vulnerabilities (CVE-2014-6271, CVE-2014-7169), BMC Software is currently investigating and assessing impact to our products and services as well as our own customer-facing portals.

 

BMC Software will communicate the results of our investigation and related remediation plans in this news article. Please bookmark this page, and check it periodically for the latest details. These vulnerabilities are known to currently affect only BMC products that embed the Linux operating system, so the overall breadth of exposure is considered to be minimal.

 

Please be aware that this bulletin will only track the BMC products that are affected by these vulnerabilities. This means that if a BMC Product is not listed, then we have determined that it is not vulnerable to CVE-2014-6271, CVE-2014-7169 directly.

 


We have identified that the following BMC Products and Services are affected by the ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169):

Product / ServiceAffectedStatusNotes
ADDMYesFix AvailablePlease see this item in the BMC Communities for patches and installation instructions
BMC Remedy OnDemand
(Service suite includes hosted instances of:
BMC MyIT
BMC AppZone
BMC Footprints Asset Core)
YesPatching CompleteThe following BMC Remedy OnDemand service offerings have completed the patching process and will be continuously monitored for any future variations:
Commercial - US
Commercial - UK
Commercial - CA
Commercial - AUS
Public Sector - US
Public Sector - Federal
CLM Rapid Deployment StackYesFix AvailableThe effect of the Shellshock vulnerability on the CLM RDS is described in this blog post.
CLM Rapid Deployment Stack (RDS) v.4.1 has been updated to include a patched version of the GNU bash.

 

Existing deployments of the RDS must be patched manually by following the instructions in this article from Redhat.
BMC Application Management Console
BMC Real End User Experience Hardware collector (1200 series)
BMC Real End User Experience Monitoring
BMC TrueSight End User Collector (4200 Series)
BMC TrueSight End User Monitor (all series)
YesFix AvailablePlease see this knowledge article for download and installation instructions
BMC Middleware and Transaction ManagementYesFix AvailableGNU bash is included in a Cygwin distribution that is used to collect files to help resolve support cases related to the BMC Middleware Management solutions. A patched version of Cygwin is included in Hotfix 7.0.00.150.1AE that is available for download on BMC Electronic Product Distribution.


BMC products are frequently installed in environments that include infrastructure components and or operating systems that embed the GNU Bourne Again Shell (Bash). Please check with the vendors of these components and operating systems to ensure they have been properly patched.

Share:|

Last Updated: July 28, 2014 3:00PM CDT

The OpenSSL Security Advisory [05 Jun 2014] ("Advisory") disclosed OpenSSL security vulnerabilities. BMC Software is investigating the impact of the disclosed vulnerabilities to our products and services as well as our customer-facing portals.

The products in Table 1 below have been found to be vulnerable to the disclosed OpenSSL CCS Injection flaw. The planned remediation and expected availability date for each affected product is shown in the table. No products have been found to be vulnerable to the other flaws described in the advisory. This table will be updated as needed as the investigation progresses.

 

ProductRemediation
BMC Bladelogic Decision Support for Server Automation 8.2.x, 8.3.x, and 8.5 (Windows + Linux + Solaris)BDSSA 8.5 SP1 as well as patches for BDSSA 8.2.x, 8.3.x and 8.5 include OpenSSL 1.0.1h.  All patches are available via ftp.
BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)
BMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)
BMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)
BMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)Upgraded to OpenSSL 1.0.1h in version 2.6 released July 11 (available by EPD)
BMC Atrium Discovery and Dependency Mapping 8.3.x, 9.0.x, and 10.0.xUpdated OpenSSL included in OS update released June 20
BMC Atrium Discovery and Dependency Mapping Proxy 9.0.xUpdated OpenSSL included in 9.0 SP3 released July 1
BMC Atrium Discovery and Dependency Mapping Proxy 8.3.x and 10.0.xUpdated OpenSSL will be included in any future releases
BMC Atrium SSOPlease apply the OS update released June 20 to the ADDM appliance
BMC MainView Console Automation
(all versions through 3.2)
For versions 3.1 and 3.2:
a Cumulative SSL Security patch released June 9 addresses this case; it fixes both the "Heartbleed" vulnerability and those disclosed in June.

 

Customers running earlier releases of MainView Console Automation should upgrade to version 3.2 before the patch can be installed.
BMC Footprints Service Core 11.6.02 and priorUpdated OpenSSL for Tomcat included in the patch released July 16. Detailed remediation steps and a link to the patch are included in this article on the Footprints support site.
Aternity for BMC End User Experience Management Dashboards Server (all versions)Updated OpenSSL included in Patch available July 15

 

Although no other products have been found to be vulnerable to the OpenSSL CCS Injection flaw, some do include older versions of OpenSSL. As a precaution we will be upgrading OpenSSL libraries included in all our supported products as part of their next planned service pack or release, whichever occurs first.

BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL Security Advisory from June 5th.

Please bookmark this page, and check it periodically for the latest details.

Share:|

Last Updated: June 2, 2014 4:00PM CDT

 

BMC Software’s Application Security team is investigating the impact that the OpenSSL CVE-2014-0160 vulnerability has on the security posture of BMC products and services.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2014-0160 vulnerability.
Products Which Include Affected OpenSSLRemediation / Patches
BMC Atrium Discovery and Dependency Mapping 10.0
BMC Atrium Discovery and Dependency Mapping Proxy 10.0
BMC Atrium Discovery and Dependency Mapping 9.0 RedHat 6
BMC Atrium Discovery and Dependency Mapping Proxy 9.0
Fix available on BMC Electronic Product Distribution

 

Refer to this blog post for details and update instructions
BMC TrueSight Operations Management Suite Server 9.5Patches available from the BMC FTP site(see the readme file for details)
BMC Real End User Experience Monitoring
versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
Patch available through deviceupdates

 

See this document for details
BMC Real End User Experience Monitoring Hardware Collector
versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
Patch available through deviceupdates

 

See this document for details
BMC TrueSight End User Monitor 1200 Series
versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available through deviceupdates.

 

See this document for details
BMC TrueSight End User Monitor 4200 Series
versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available through deviceupdates

 

See this document for details
Borland Silk Performer Synthetic Transaction Monitoring for BMC Software (Synthetic-EUEM) 15.0Fix available on BMC Electronic Product Distribution
BMC TMART 4.1 SP2, 4.2Fix available on BMC Electronic Product Distribution
BMC Bladelogic Decision Support for Server Automation
8.2.03, 8.2.04, 8.3, 8.3.01
Linux fixes available:
8.2.03, 8.2.04
8.3, 8.3.01

 

Solaris fixes available:
8.2.03, 8.2.04
8.3, 8.3.01

 

Windows versions not affected
BMC Bladelogic Decision Support for Server Automation
8.3.02, 8.3.03, 8.5

Linux fixes available
8.3.02, 8.3.03, 8.5

 

Solaris fixes available
8.3.02, 8.3.03, 8.5

 

Windows fixes available
8.3.02, 8.3.03, 8.5

BMC MainView Console Automation for zEnterprise 3.1, 3.2Fix available on BMC Electronic Product Distribution
Aternity for BMC End User Experience Management Dashboards Server (all versions)Fix available from Aternity

 

Click here for details
Entuity Network Monitoring for BMC TrueSight Operations Management V14.0Fix available from the Entuity web site

 

Please contact BMC Customer Support for access credentials
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2014-0160 vulnerability.
Products Which Do Not Include OpenSSLProducts Which Include Unaffected OpenSSL
BMC Atrium OrchestratorBMC Atrium Discovery and Dependency Mapping 9.0 RedHat 5
BMC Cloud Lifecycle ManagementBMC Remedy AR System 8.8
BMC Decision Support for Database AutomationBMC Remedy AR System and ITSM Suite 8.1
BMC Decision Support for Network AutomationBMC Remedy AR System and ITSM Suite 8.0
BMC Release Lifecycle managementBMC Remedy AR System and ITSM Suite 7.6.04
BMC MainView Console Management 2.12 and priorBMC Atrium CMDB
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC Footprints Service Core 11.6.02 and prior
BMC IMS for z/OS solutions
(all products and versions)
BMC Footprints Asset Core/BCM 11.6
BMC DB2 for z/OS solutions
(all products and versions)
BMC Footprints Asset Core/BCM 11.7
BMC Middleware AdministrationBMC Footprints Asset Core/BCM 12
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)BMC Remedy OnDemand (based on underlying Remedy and hosting environment tested)
BMC BladeLogic Client AutomationBMC Capacity Optimization and Performance Assurance
BMC AppSightBMC Middleware Management - Performance and Availability
BMC Identity ManagementBMC Middleware Management – Transaction Monitoring
BMC IT Business ManagementBMC TrueSight Operations Management Suite Server 9.0
BMC Network AutomationBMC Control-M 6.4
BMC Service Desk ExpressBMC Control-M 7.0
BMC Service Level ManagementBMC Control-M 8.0
BMC TrackIt!BMC Dashboard and Analytics
BMC MyIT (all versions)BMC Release Process Management
BMC RemedyForce (all versions)BMC Database Automation (BladeLogic)
BMC Footprints Service Core/Renoir 12BMC Server Automation (BladeLogic)
BMC Performance Manager PortalBMC Release Package and Deployment (RPD)
BMC Storage Data ManagementBMC Atrium SSO
BMC Performance Manager for WebSphere Business Integration (WBI)BMC TMART 4.1 (prior to SP2)
Aternity for BMC End User Experience Management Console and Agents (all versions)BMC Bladelogic Decision Support for Server Automation
On Unix: 8.2.00, 8.2.01, 8.2.02
On Windows: 8.2.02, 8.2.03, 8.2.04, 8.3, 8.3.01
BMC Education Solution Accelerator (ESA)BMC Event Manager
Moviri Integration for BMC Capacity OptimizationBMC Patrol Central Web Edition
nlyte Enterprise Edition for BMC SoftwareBMC Application Transaction Tracing
Seamless Technologies Event Integration for BMC TrueSight Operations ManagementBMC Middleware Management - Administration for WebSphere MQ (AppWatch)
BMC Mobile Device Management (MDM) BMC Middleware Monitoring
Sentry Software Integration for BMC Capacity OptimizationEntuity Network Monitoring for BMC TrueSight Operations Management V10.5 and earlier
Sentry Software Monitoring for BMC TrueSight Operations Management BMC Performance Manager for Servers
Sentry Software Adapters for BMC Atrium Orchestrator  BMC PATROL Agent
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. In cases where BMC products were deployed in vulnerable environments or they were patched for the OpenSSL CVE-2014-0160 vulnerability – we recommend that you change all administrative passwords and replace all SSL certificates.
   2. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2014-0160 vulnerability.

Filter Blog

By date:
By tag: