Share This:

BMC Software has identified an unauthenticated Remote Code Execution security vulnerability CVE-2019-16755 (CVSS v3 score 10.0) in BMC Digital Workplace and Remedy with Smart IT.

BMC Digital Workplace 3.x and 18.x releases, associated service packs, and patches are affected by this vulnerability. No action is required if you are using BMC Digital Workplace 19.02 or later.

Remedy with Smart IT 1.x, 2.0, 18.05, 18.08, and 19.02 releases, associated service packs, and patches are affected by this vulnerability. No action is required if you are using Remedy with Smart IT 2.0 Patch 2 or Remedy with Smart IT 19.08.

No action is required for SaaS customers. This refers to Remedy as a Service (RaaS), Helix ITSM, or BMC Helix Digital Workplace.

 

Hot fix available
A hot fix is currently available for all affected versions of BMC Digital Workplace and Remedy with Smart IT. BMC strongly recommends that customers apply this hot fix.

The hot fixes for the affected versions are available at the following links:

For version 3.3 or earlier, you must upgrade to version 3.3.02 before applying the hot fix.

For versions 1.4 or earlier, you must upgrade to version 2.0 Patch 2. Please contact BMC Support if you require a fix for versions 1.5, 1.5.01, or 1.6.

 

Upgrade required for Remedy with Smart IT?

  • Remedy with Smart IT 18.05 requires an install of Patch 5 prior to applying the security vulnerability hot fix.
  • Remedy with Smart IT 18.08 requires an install of Patch 1 prior to applying the security vulnerability hot fix.
  • Remedy with Smart IT 19.02 requires an install of Patch 1 prior to applying the security vulnerability hot fix.

 

Upgrade required for BMC Digital Workplace?

  • BMC Digital Workplace 3.3.02, 3.4.00, or 3.5.00 do not require any upgrade, you can directly apply the security vulnerability hot fix.
  • BMC Digital Workplace 18.02, 18.05, 18.08, or 18.11 do not require any upgrade, you can directly apply the security vulnerability hot fix.

 

Thanks to Jerome Nokin for responsibly disclosing this vulnerability.


Best regards,

John Weigand
R&D Program Manager
BMC Software