No one likes cracks in security and neither does BMC. We have all encountered more than one or two security vulnerability reports from our internal security tools. So you got a vulnerability reports, what do you do with it? These reports tell us where there may be security concerns with the various applications running. The first thought is to go straight to the vendor to see what can be done. Most times these vulnerabilities can be addressed through workarounds or configuration changes. However, sometimes, the vulnerabilities cannot be addressed in the current version you are running and an upgrade may be needed to resolve the vulnerability.
When a concern does arise about possible security concerns, please do not hesitate to contact Support as we would like to assist. We do make every effort to add new vulnerability details to our Knowledge base so that if there is a workaround for the concern, it will be posted so we do recommend using the search option to search for a vulnerability (use the CVE number if one is provided). Sometimes, we haven’t seen the vulnerability yet and it may take some time for the team to investigate the issue and whether there is a workaround. Either way, our goal is to help make the product more secure and to meet your security needs.
One thing to note about the vulnerabilities and possible outcomes, is that it really depends on which TrueSight component is affected. For example, if there is a vulnerability on the TrueSight Presentation Server, and let’s say it is an Tomcat vulnerability that suggests using a newer version. Unfortunately, we cannot upgrade the Tomcat version being used in TrueSight because BMC uses our own code and mixes it with Tomcat code so there is not method to allow for a clean third-party Tomcat upgrade. This would be the case when you would need to upgrade to a newer TrueSight version or request a security exception as there is no way to update the Tomcat version on the fly.
However, should you see an Apache vulnerability on the TrueSight Infrastructure Management server which recommends upgrading the version of Apache, please contact BMC Support as we do have the ability to upgrade Apache apart from TrueSight because we don’t mix the code. We have several Knowledge Articles written on upgrading the Apache version (BPPM Apache Upgrade - 000115475, TrueSight Apache Upgrade on Windows- 000153230, and TrueSight Apache Upgrade on UNIX – 000140492).
If you have questions about vulnerabilities, do not hesitate to contact Support. When you do contact Support, the important details to provide when opening a case are: the vulnerability number if known, the security scant tool used, the version of TrueSight affected, and the component of TrueSight affected (ie TSIM, TSPS, RSSO, etc). The vulnerability number is most helpful if it is known as we can track down specifics for each vulnerability. For example, the Common Vulnerabilities and Exposures database usually assigns a CVE number to most of the common vulnerabilities. Providing Support with the CVE number (https://cve.mitre.org/) helps us to locate the vulnerability and determine which versions of the various applications are affected.
Support may ask for the name of the scan tool, used as this helps us when testing a fix internally. These days there are so many different scanning tools and they are all ever so subtly different. The scans that pass our internal scanning tools may not pass your scans depending on the tool used. So providing these details help us track down information about the tool and sometimes the depth of the fix needed. We also have a variety of scanning tools in house and if we have the one used for your scan, we can test any possible fixes in house and run a scan at our end to test the fix as opposed to sending you a fix and asking you to run a scan. We realize that it may not be easy or fast for you to run a scan. Security teams are getting larger and more specialized and it may take an army to keep the scans running so if we can fix it and test internally, why not let us take care of it for you?
We do our best to address as many issues as we can, but there are times when we must request a product upgrade or a security exception request. We note the security exception request because we do understand that upgrading a product such as TrueSIght does take time and may need testing in a development environment before any production upgrades are done. Ideally, the upgrade is the better option, so if you need help with an upgrade, let us help you with our AMIGO program, see details below.
BMC maintains a corporate Application Security page in the BMC Community to provide updates regarding some of the mainstream vulnerabilities which are detected. Take a look - Application Security News
TrueSight 11.3.01 is coming soon..I always promote our AMIGO program but now more than ever, since TrueSight 11.3.01 will be released soon. Start thinking about a possible upgrade to the latest version. Let us help you ensure a successful upgrade.
The BMC Assisted MIGration Offering, or AMIGO, is a free program designed to assist our customers in planning and preparing for product upgrades from an older, to a newer supported version. By engaging with BMC Technical Support Analysts, you will be provided with materials containing guidelines and best practices to aid in compiling your own upgrade plan. An upgrade expert will then review your plan, and offer advice and suggestions to ensure success through proper planning and testing.
The AMIGO program consists of a Starter Phase and a Review Phase. Each phase is initiated by opening a support case, and ends when the case is closed.
In the Starter Phase, an AMIGO Starter case is opened. Reference material will be provided and a call with a Technical Support Analyst will take place to discuss the details of your upgrade, and address any questions you may have. The AMIGO Starter case will be closed, and the next step will be for you to prepare a documented upgrade plan.
In the Review Phase, an AMIGO Review case is opened preferably two weeks prior to a set upgrade date. A call will be scheduled with an upgrade expert to review your detailed plan, providing feedback and recommendations, along with answers to any outstanding questions. As needed, a follow up discussion with a Technical Support Analyst may take place for feedback after the upgrade is performed.
The AMIGO program includes:
» A “Question and Answer” session before you upgrade
» A review of your upgrade plan with Customer Support
» An upgrade checklist
» Helpful tips and tricks for upgrade success from previous customer upgrades
» A follow-up session with Customer Support to let them know how it went. This will help BMC to enhance the process.
To get started, please review the details here:
*We will update the links for the 11.3.01 version once it is ready to release. You can use the link above as guideline for upgrade planning.
Then open a BMC Support issue containing your environment information (product, version, OS, etc.) and the planned date of the installation, if known. We will contact you promptly, and work with you to ensure a successful and timely outcome.
Do you use our Knowledge Base? Let us know if you do or do not.. we want to continually improve your experience with the knowledge base, let us know what works and what does not work for you.
Have you taken advantage of our filtered URLs?
Searching KAs Pro-Tip: To find knowledge articles/solutions related to this BMC product, go to this blog page https://goo.gl/c5W3P8 this post shows you how to use the links to filter searches by products, allowing for better search results.
New Knowledge Added over the last month:
000152720 How can the Oracle instance details be updated for TSIM after Data Guard switchover/failover?
000152765 java.lang.OutOfMemoryError: unable to create new native thread error seen in the TrueSight.log on Linux TSPS Server 11.0
000152766 MasterNotDiscoveredException and master_left exceptions in the TrueSight.log and the TSPS Server in HA shuts down itself
000152873 "The ImpactManager.aar service, which is not valid, caused ImpactManagerImpl initialize new IIWSImMgr Failed. Error on install of IIWS" seen in the iiws.log
000152932 TrueSight Operations Management Console GUI freezes up or becomes inactive after an unspecified period of inactivity
000153043 Integration Service agent status keeps changing to BROKEN and it uses the complete File Descriptor limit
000153063 Log Management KM doesn't generate instance alerts with dynamic filenames in TSOM
000153119 "pw ha enable" results in " Invalid getCellConfiguration() CellName:<cell name> null"
000153523 The dataUpgrade.bat script hangs "Initializing"
000153264 TSPS generating many instances of indexserver.log
We want to hear from you. What do you want to see more of or less of in these monthly posts? Are these posts helpful to you? Let us know, post your comments!
Looking for a previous blog posting? Find it here: BMC TrueSight Pulse Blogs