While the Tomcat vulnerability issues in TM ART are independently categorized as “Medium”, BMC understands that there are organizations that perceive the risk as “High”.   As such, BMC has developed and tested an immediate work-around and is also in the process of developing a product update to address this issue.


Recommended Approach

BMC is in the process of developing an update that will:

  1. Address the Tomcat vulnerability. TM ART 4.2 uses Tomcat 7.0.29 which has security vulnerabilities. Tomcat 7.0.55 or later is needed.
  2. Address the recently reported OpenSSL vulnerability. See To prevent another Heartbleed, severe OpenSSL flaw to be patched | ZDNet
  3. Bundle these fixes plus all hotfixes released since SP2 into a single, easy to install deliverable.  This will be SP3.

We intend to make this service pack generally available by June 5th and we recommend that customer use this method for remediating the issues.


Immediate work-around

BMC realizes that some customers will want to address these vulnerabilities immediately.  For these customers we have developed and tested a process where customers can upgrade the underlying Tomcat components without making changes to the TM ART installation.   While this work-around immediately addresses the security issue, it is also more complex and time-consuming than applying the service pack.   As such, BMC only recommends this path for customers who perceive this risk as critical and who cannot wait until the service pack that will be made available by June 5, 2015.


Next Steps

Customers interested in applying the workaround should reach out to support to request documentation and assistance.

Customers with questions on this process should reach out to Support or their account team for additional information