Skip navigation
Share This:

We are very excited to announce that our mainframe solutions are releasing exploitation for new z13 capabilities.  Read this announcement by Jay Lipovich in BMC Communities for more details.

Share This:

To ensure our ability to support our customers continuously, BMC conducts annual disaster recovery tests on all our corporate systems.

On Friday and Saturday, May 15/16, BMC will be conducting our annual Disaster Recovery Drill for 2015. During this drill, all corporate systems will be redirected to our secondary data center, tested, and redirected back to our primary site.

Systems will move between data centers incrementally, so you may experience interruptions of various web site services at any time during the exercise.

We anticipate two significant windows of service interruption during the data center transition times. On Friday, May 15th, from 10:00PM CT - 2:00AM CT, and again on Saturday, May 16th, from 12:00 Noon CT - 6:00PM CT.

If you encounter a critical problem at any point during this exercise, please phone our Global Contact Center for immediate assistance.

We appreciate your patience as we confirm the reliability of our corporate systems and our disaster recovery processes.

Share This:

To provide better quality and organization of information for our customers, BMC has introduced the Quarterly Product Change Notification.

The consolidation of information into one notification quarterly allows the customer to view changes to their products with valuable information including effective dates, end of support dates and migration plans for product renames, product replacements and product withdrawals.

See Product Change Notification (pdf)

Share This:

Latest details from BMC

Last Updated: May 31, 2015 12:15PM CDT

 

BMC Software’s Application Security team is investigating the impact that multiple OpenSSL security vulnerabilities announced on March 19th have on the security posture of BMC products and services. Of the 14 vulnerabilities described, two were classified as high severity issues: CVE-2015-0204 and CVE-2015-0291.
The products listed in Table 1 below include OpenSSL libraries affected by the OpenSSL CVE-2015-0204 and/or CVE-2015-0291 vulnerabilities.
Products Which Include Affected OpenSSLRemediation / Patches
BMC Atrium Discovery and Dependency MappingSee article in BMC Communities
BMC Footprints Service Core 11.6.05 and priorPatch released (see this article for details). Upgraded version of OpenSSL is included in release 11.6.06
Borland Silk Performer for TrueSight Operations Management 15.5.10Patch estimated May 29, 2015
BMC TMART 4.2 SP2Patch released May 25, 2015
BMC Application Diagnostics 2.6.10Patch estimated May 29, 2015
Entuity Network Monitoring for BMC TrueSight Operations Management V14.0, V14.5 and V15.0Patches available from the Entuity web site

 

Please contact BMC Customer Support for access credentials
BMC Database Automation (BladeLogic)Patch estimated May 31, 2015
BMC Release Package and Deployment (RPD)Patch estimated May 31, 2015
BMC Release Lifecycle managementSee RPD, RPM and BSA
BMC Workload Automation (Control-M)See this article for details
BMC MainView Console Management 3.2.1 and priorUpgrade to release 3.2.2 or install Cumulative SSL Security patch 2015.04.21
The products listed in Table 2 below either do not include OpenSSL libraries or include OpenSSL libraries unaffected by the OpenSSL CVE-2015-0204 and CVE-2015-0291 vulnerabilities.
Products that do not include OpenSSLProducts that include OpenSSL, but are not vulnerable
BMC Atrium OrchestratorBMC Client Management (formerly BMC Footprints Asset Core) versions 11.x, 12.x - ship with 1.0.0 thread of OpenSSL with export ciphers disabled. Will upgrade to latest release of OpenSSL 1.0.0 thread in version 12.1 - planned for October 2015
BMC Cloud Lifecycle ManagementBMC Performance Manager Portal 2.11.0 - ships with export ciphers disabled
BMC Decision Support for Database AutomationBMC TrueSight Infrastructure Management (formerly BMC Proactivenet Performance Management Suite) 9.5 and 9.6 - ship with export ciphers disabled
BMC Decision Support for Network AutomationBMC Bladelogic Decision Support for Server Automation 8.3.02 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.3.03 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.5 (Windows + Linux + Solaris)
BMC Bladelogic Decision Support for Server Automation 8.5.01 (Windows + Linux + Solaris)
BMC MainView Console Management 2.12 and priorBMC Bladelogic Decision Support for Server Automation Unix (Linux + Solaris) 8.2, 8.2.01, 8.2.02
BMC Bladelogic Decision Support for Server Automation Unix (Linux + Solaris) 8.2.03, 8.2.04,  8.3, 8.3.01
BMC MainView for z/OS solutions
(all products and versions except as shown in Table 1)
BMC Bladelogic Decision Support for Server Automation Windows 8.2.02, 8.2.03, 8.2.04, 8.3, 8.3.01
BMC IMS for z/OS solutions
(all products and versions)
BMC Release Process Management (RPM)
BMC DB2 for z/OS solutions
(all products and versions)
BMC Server Automation (BladeLogic) (BSA)
BMC Middleware Administration(old name) BMC Capacity Optimization and Performance Assurance
TrueSight Capacity Optimization
BMC Middleware Management -Transaction Analytics for WebSphere MQ (StatWatch)BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC BladeLogic Client AutomationBMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC BladeLogic PortalBMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC AppSightBMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC Identity ManagementBMC Real End User CloudProbe
BMC IT Business ManagementBMC MyIT (see this page for additional details)
BMC Network AutomationBMC SmartIT (see this page for additional details)
BMC Service Desk ExpressBMC Remedy AR System and ITSM Suite (see this article for details)
BMC Service Level Management
BMC TrackIt!
BMC RemedyForce (all versions)
BMC Footprints Service Core/Renoir 12
BMC Performance Manager Portal
BMC Event Manager
BMC TrueSight IT Data Analytics
BMC Storage Data Management
BMC Performance Manager for WebSphere Business Integration (WBI)
Aternity for BMC End User Experience Management Console and Agents (all versions)
BMC Education Solution Accelerator (ESA)
Moviri Integration for BMC Capacity Optimization
nlyte Enterprise Edition for BMC Software
Seamless Technologies Event Integration for BMC TrueSight Operations Management
BMC Mobile Device Management (MDM)
Sentry Software Integration for BMC Capacity Optimization
Sentry Software Monitoring for BMC TrueSight Operations Management
Sentry Software Adapters for BMC Atrium Orchestrator
SailPoint Provisioning Engine for BMC Software Solutions
SailPoint Compliance Manager for BMC Software Solutions
SailPoint Lifecycle Manager for BMC Software Solutions
Quindell  OS3 Frameworks for BMC Remedy

 

Products not listed in Table 1 and Table 2 above are still under investigation. Updates on these products will be posted to this page as they become available.
Recommendations:
   1. BMC products are frequently installed in environments that include infrastructure components that embed the OpenSSL library (e.g. Web Servers, Application Servers, Middleware, etc.). Please check with the vendors of these components to ensure they have been patched or that they are not affected by the OpenSSL CVE-2015-0204 and CVE-2015-0291 vulnerabilities.
Share This:

Last Modified at 2:30AM CT, March 30, 2015

Latest details from BMC

 

The products below ship with a node.js server that is statically linked with a version of OpenSSL that if used for TLS communication may be vulnerable to CVE-2014-0160 (Heartbleed). We have reviewed the use of node.js within the products below and found that it is not exploitable in this context.

Products which include MongoDBRemediation / Patching
BMC MyIT
BMC SmartIT
See this support article for a detailed explanation of why the products are not vulnerable to CVE-2014-0160.
Share This:

BMC has previously announced the December 31, 2015 end of support for BMC TrueSight End User Monitor 1200 Series, and its product replacements.

 

Click here to read a reminder letter recently sent to BMC customers.

Share This:

Last Modified at 1:15PM CT, February 19, 2015

Latest details from BMC

 

Recent research published by three students at Saarland University in Germany shows that a large number of MongoDB databases all over the globe have been misconfigured; this allows unauthenticated remote access to sensitive information.

 

BMC Software’s Application Security team has investigated the impact that the MongoDB security configuration vulnerability (described here) has on the security posture of BMC products and services.

 

The products below ship with a MongoDB database and if configured incorrectly might be vulnerable to the attacks described above. We recommend that our customers take the necessary steps to configure their MongoDB deployments securely as documented in the MongoDB manuals.

Products which include MongoDBRemediation / Patching
BMC MyIT
BMC SmartIT
See this support article for instructions on configuring MongoDB in a secure fashion.
Share This:

Last Modified at 04:30AM CT, February 5, 2015

Latest details from BMC

 

BMC Software’s Application Security team has investigated the impact that the CVE-2015-0235 (a.k.a. “GHOST”) vulnerability has on the security posture of BMC products and services.

As this flaw stems from the glibc function and manifests itself via the gethostbyname() function, we have not found it to be exploitable in any BMC products. However, the products listed below ship with Linux operating systems and are therefore affected by the CVE-2015-0235 vulnerability.
We recommend that our customers take the necessary steps to prevent exploitation of CVE-2015-0235 either by patching their Linux operation systems or by configuring appropriate IPS signatures.

Products which include a vulnerable OSRemediation / Patching
BMC Atrium Discovery and Dependency Mapping - all versions
BMC Atrium Discovery and Dependency Mapping Proxy - all versions
The latest OS update includes an updated version of the glibc function.
BMC Real End User Experience Monitoring
BMC Real End User Experience Monitoring Hardware Collector
BMC TrueSight End User Monitor
A device patch and product specific knowledge article are expected by February 28, 2015.
Share This:

To provide better quality and organization of information for our customers, BMC has introduced the Quarterly Product Change Notification.

The consolidation of information into one notification quarterly allows the customer to view changes to their products with valuable information including effective dates, end of support dates and migration plans for product renames, product replacements and product withdrawals.

See Product Change Notification (pdf)

Share This:

Last Modified at 3:45AM CT, March 11, 2015

Latest details from BMC

 

BMC Software’s Application Security team is investigating the impact that the SSL 3.0 CVE-2014-3566 (a.k.a. “POODLE”) vulnerability has on the security posture of BMC products and services.

The products listed below allow SSL 3.0 connections and are therefore affected by the SSL 3.0 CVE-2014-3566 vulnerability.

Products Which Allow SSL 3.0 ConnectionsRemediation / Patching
BMC Atrium Discovery and Dependency Mapping - all versions
BMC Atrium Discovery and Dependency Mapping Proxy - all versions
Manually disable SSL 3.0 until patches are available that remove SSL 3.0 completely. These will be included in a future OS update.

 

Refer to this blog post for details and instructions
BMC Client Management - versions 11.x and 12.0

 

(formerly BMC FootPrints Asset Core)

BMC will be disabling SSLv3 Support from the BCM agent, permitting only TLS connections (versions 1.0, 1.1 or 1.2). In addition, OpenSSL will be updated to help block any downgrade attack such as Poodle.

 

Please download one of the following Hot Fixes:

 

                        11.5 Hot Fix

 

                        11.6 Hot Fix

                        11.7 Hot Fix

                        12.0 Hot Fix

 


NOTE: If integrating with BMC FootPrints Service Core, the application of the hot fix also requires the latest OpenSSL for the BMC FootPrints Service Core installation. The patch can be obtained from this support article.

BMC MainView Console Management for zEnterprise - all versionsMainView Console Management Cumulative SSL Security Patch 2014.10.16 for versions 3.1-3.2 is available via Electronic Product Distribution.

 

Earlier versions must be upgraded to at least 3.1 before the patch can be applied.
BMC Remedy OnDemand
(Service suite includes hosted instances of:
BMC MyIT
BMC AppZone
BMC Footprints Asset Core)
BMC is in the process of disabling SSL v3.0 across all data centers and service offerings.  To date the following service offerings have been completed:
Commercial - US
Commercial - UK
Commercial - CA
Commercial - AU
Public Sector - US
Public Sector - Federal
BMC Workload Automation (Control-M) versions 6.4.x, 7.0.x, 8.0.xManually disable SSL 3.0 fall back. Refer to this blog post for details and instructions
BMC FootPrints Service Core - version 12.xFootPrints 12.x does not install Java or Tomcat for the customer.  Instead, the customer supplies their own Java and Tomcat installations.

 

See this support article for guidance on upgrading these installations and how to disable SSLv3 in Tomcat.

 

There are no patches necessary.
BMC FootPrints Service Core - versions 11.x, 10.0.2, 9.5.4See this support article for patches to update OpenSSL to 1.0.1j as used by the product in Perl and Tomcat.

 

See this support article for guidance on disabling SSLv3 for versions 11 and newer.
RemedyforceManually disable SSL 3.0 on web browsers.

 

See this article in BMC Communities for details.
Aternity for BMC End User Experience Management Console and Agents (all versions)

 

Aternity for BMC End User Experience Management Dashboards Server (all versions)
For every Aternity node (data warehouse, management server, and EPM) configure the Apache Tomcat XML HTTPs connector by setting the following properties:

 

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
sslprotocol=”TLS“

 

See this article for more details.

 

For the Tableau server, see this article for instructions
BMC Atrium OrchestratorIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC BladeLogic Database AutomationIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

OpenSSL will be upgraded in version 8.6 and back ported to 8.5 in a patch shortly after 8.6 is released.
BMC BladeLogic Decision Support for Database Automation

 

BMC BladeLogic Decision Support for Network Automation
In Apache Tomcat go to “<PATH>\BL-Decision Support\tomcat\conf” directory.

 

Take a backup of the server.xml file.

 

Edit the server.xml replacing sslProtocols=“TLS” with sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2”.

 

Save the file and restart the “BL-Decision Support Web Server” service.
BMC Bladelogic Decision Support for Server Automation (Windows, Unix, and Linux)Upgrade packages are available for BDSSA 8.3.x and 8.5.x. See this article for instructions on obtaining the package for BDSSA.
BMC BladeLogic Middleware AutomationPlease see this article for detailed instructions on disabling SSL 3.0
BMC BladeLogic Network AutomationIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

BNA server and agent communication over RMI uses TLS 1.2 by default. HTTPS communication between BNA agent and network devices is either configured to initiate TLS or to accept the handshake from BNA, which uses TLS.
BMC BladeLogic Server AutomationUpgraded OpenSSL and fixed Java JSSE in BSA 8.5 SP1 Patch 3 and BSA 8.6. A hotfix is available for 8.3.03 (build 190 or higher). Please see this article for instructions on obtaining this hotfix.
BMC Cloud Lifecycle ManagementIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.

 

If HTTPS is enabled for CLM Platform Manager, please contact BMC Customer Support for assistance with Jetty configuration.
BMC DCA Portaln Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Package and DeploymentIn Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Process Management (DevOps)In Apache Tomcat turn off SSL v3 and v2 and leave only TLS enabled as described in this article on the Redhat website.
BMC Release Lifecycle managementThis is a combination of BMC Release Package and Deployment, BMC Release Process Management, and BMC BladeLogic Server Automation. Please see entries above for individual remediation steps for each.
Entuity Network Monitoring for BMC ProactiveNet Performance Management V14.0 and above
Entuity for BMC TrueSight Operations Management
Entuity Integrator for BMC TrueSight Operations Management
Entuity Network Analyzer for BMC TrueSight Operations Management
Entuity Flow Analyzer for TrueSight Ops
Modify the following Apache configuration files:
<Entuity Home>\install\template\lib\apache\conf\httpd_eye.conf
  From:  ##CONFIGPARSE##    SSLProtocol -ALL +SSLv3 +TLSv1
  To:        ##CONFIGPARSE##    SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 

<Entuity Home>\lib\apache\conf\httpd_eye.conf 
  From:  SSLProtocol -ALL +SSLv3 +TLSv1
  To:        SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2

 

  Restart Entuity Web Server:
<Entuity Home>\bin\stop webserver

 

The Web Server will automatically restart after stopping.
Entuity Network Monitoring for BMC ProactiveNet Performance Management V10.5 and earlierPlease contact BMC Customer Support for assistance
BMC Capacity Optimization and Performance AssuranceSee this article for detailed remediation steps
BMC Patrol Central Web EditionSee this article for detailed remediation steps
BMC Performance Manager PortalSee this article for detailed remediation steps
BMC Application Transaction TracingPatch available. Please contact BMC Customer Support for assistance.
BMC Middleware AdministrationSee this article for detailed remediation steps
BMC Middleware Management - Administration for WebSphere MQ (AppWatch)See this article for detailed remediation steps
BMC Middleware Management - Performance and Availability
BMC Middleware Management – Transaction Monitoring
BMC Middleware Monitoring
Patches available.
BMC ProactiveNet Performance Management Suite Server 9.0
BMC ProactiveNet Performance Management Suite 9.5
See this article for detailed remediation steps
BMC Real End User Experience Monitoring Hardware Collector versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC Real End User Experience Monitoring versions 2.5 and 2.5.01 (2.5.64.306 and 2.5.66.300)
BMC TrueSight End User Monitor 1200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
BMC TrueSight End User Monitor 4200 Series versions 2.5 and 2.5.01 (6.5.64.306 and 6.5.66.300)
Patch available. Please contact BMC Customer Support for assistance.
BMC IT Data & AnalyticsBy default, SSL is not enabled.

 

The product documentation for enabling SSL has been updated so that SSLv3.0 is not enabled.
BMC Impact Integration Web Services 7.4.00Please see this article for detailed instructions on disabling SSL 3.0.
MyIT 2.0, MyIT 2.1 and SmartITPlease see this support article for instructions for disabling SSL V3 in Tomcat used by MyIT and SmartIT.
BMC Remedy AR System and ITSM Suite 7.6.04, 8.0, and 8.1See this support article for instructions for disabling SSL V3 in Tomcat used by Mid-Tier.

 

If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server. An LDAP plug-in hotfix to allow the LDAP plug-in to use TLS for communication with LDAP Server will be available by January 31, 2015.
BMC Remedy AR System 8.8See this support article for instructions for disabling SSL V3 in Tomcat used by Mid-Tier.

 

If you are using the LDAP integration plug-in, BMC recommends consulting your LDAP Server documentation for turning off SSL V3 in your LDAP Server. An LDAP plug-in hotfix to allow the LDAP plug-in to use TLS for communication with LDAP Server will be available by January 31, 2015.
BMC Atrium SSOSee this support article for instructions for disabling SSL V3 in Atrium SSO.
BMC Transaction Management Application Response Time - Infrastructure Edition
BMC Transaction Management Application Response Time - Service Level Edition
See this support article for instructions.
Share This:

To provide better quality and organization of information for our customers, BMC has introduced the Quarterly Product Change Notification.

The consolidation of information into one notification quarterly allows the customer to view changes to their products with valuable information including effective dates, end of support dates and migration plans for product renames, product replacements and product withdrawals.

See Product Change Notification (pdf)

Share This:

BMC is announcing the end-of-life for certain BMC Mobility Products.

Click here to read the end-of-life announcement sent to BMC customers.

Share This:

Last Modified at 8:80AM CT, November 12, 2014

In reference to the Sept 25, 2014 disclosure of the GNU Bourne Again Shell (Bash) “ShellShock” vulnerabilities (CVE-2014-6271, CVE-2014-7169), BMC Software is currently investigating and assessing impact to our products and services as well as our own customer-facing portals.

 

BMC Software will communicate the results of our investigation and related remediation plans in this news article. Please bookmark this page, and check it periodically for the latest details. These vulnerabilities are known to currently affect only BMC products that embed the Linux operating system, so the overall breadth of exposure is considered to be minimal.

 

Please be aware that this bulletin will only track the BMC products that are affected by these vulnerabilities. This means that if a BMC Product is not listed, then we have determined that it is not vulnerable to CVE-2014-6271, CVE-2014-7169 directly.

 


We have identified that the following BMC Products and Services are affected by the ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169):

Product / ServiceAffectedStatusNotes
ADDMYesFix AvailablePlease see this item in the BMC Communities for patches and installation instructions
BMC Remedy OnDemand
(Service suite includes hosted instances of:
BMC MyIT
BMC AppZone
BMC Footprints Asset Core)
YesPatching CompleteThe following BMC Remedy OnDemand service offerings have completed the patching process and will be continuously monitored for any future variations:
Commercial - US
Commercial - UK
Commercial - CA
Commercial - AUS
Public Sector - US
Public Sector - Federal
CLM Rapid Deployment StackYesFix AvailableThe effect of the Shellshock vulnerability on the CLM RDS is described in this blog post.
CLM Rapid Deployment Stack (RDS) v.4.1 has been updated to include a patched version of the GNU bash.

 

Existing deployments of the RDS must be patched manually by following the instructions in this article from Redhat.
BMC Application Management Console
BMC Real End User Experience Hardware collector (1200 series)
BMC Real End User Experience Monitoring
BMC TrueSight End User Collector (4200 Series)
BMC TrueSight End User Monitor (all series)
YesFix AvailablePlease see this knowledge article for download and installation instructions
BMC Middleware and Transaction ManagementYesFix AvailableGNU bash is included in a Cygwin distribution that is used to collect files to help resolve support cases related to the BMC Middleware Management solutions. A patched version of Cygwin is included in Hotfix 7.0.00.150.1AE that is available for download on BMC Electronic Product Distribution.


BMC products are frequently installed in environments that include infrastructure components and or operating systems that embed the GNU Bourne Again Shell (Bash). Please check with the vendors of these components and operating systems to ensure they have been properly patched.

Share This:

BMC is upgrading our single-sign-on application on www.bmc.com to provide seamless access to additional BMC applications on www.bmc.com. Your existing username (your email address) and password will not change as a result of this upgrade.

If you have issues logging in, try these steps:

  1. Clear the browser cache
  2. Exit the browser
  3. Start the browser
  4. Try logging into the Support site again.

During your first log-in, you will be asked to choose a security image to identify your account. During future log-ins, your selected image will appear after you enter your username, and before you enter your password.

Your selected image is another way to assure you that you are connected to the BMC web site, and that it is safe to enter your password.

This image shows the log-in dialog before and after the username is entered.

This image shows the dialog used to select your account image.

This image shows the new Login Help screen, should you have problems logging in.

There are circumstances under which your account image may not display after you have selected it. The most frequent reasons, and other ways to validate that you are connected to www.bmc.com are shown in this image. This page is also accessed by clicking the small question mark above the account image area of the login dialog.

Share This:

To ensure our ability to support our customers continuously, BMC conducts annual disaster response tests on our Customer Support systems.

Over the weekend of September 6th, BMC will be conducting our annual Disaster Response Drill for 2014. During this drill, Customer Support systems will be redirected to our secondary data center, functionally tested, and redirected back to our primary site.

During the period from 5:00AM CT - 2:00PM CT, Issue Management functions (Submit, View/Update) will not be available. During this time, please phone our Global Contact Center to report any Critical Issues.

Beyond Issue management, we anticipate two windows of service interruption during the data center transition times on Saturday, September 6th. The first will be from 5:00AM CT - 8:00AM CT, and again from 11:00AM CT - 2:00PM CT.

We appreciate your patience as we confirm the reliability of our support systems and disaster response processes.

Filter Blog

By date:
By tag: