Scribd
Upload
48 views7 pages

Control-M and Helix Control-M Log4Shell Vulnerability: Technical Bulletin

The document provides information about a Log4Shell vulnerability affecting Control-M and Helix Control-M versions 9.0.18 through 9.0.20. It details which components are vulnerable and recommends immediate steps to mitigate the vulnerability along with future planned patches.

Uploaded by

mctmaia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views7 pages

Control-M and Helix Control-M Log4Shell Vulnerability: Technical Bulletin

The document provides information about a Log4Shell vulnerability affecting Control-M and Helix Control-M versions 9.0.18 through 9.0.20. It details which components are vulnerable and recommends immediate steps to mitigate the vulnerability along with future planned patches.

Uploaded by

mctmaia
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Technical Bulletin

Control-M and Helix Control-M


Version 9.0.18, 9.0.19, 9.0.20
December 13, 2021

Log4Shell Vulnerability
BMC Software is alerting you to the Log4Shell Java logging library vulnerability (CVE-2021-44228) that
affects many Control-M components in supported versions 9.0.18, 9.0.19, and 9.0.20 including Helix
Control-M. Control-D components are not affected.

To mitigate the vulnerability immediately, follow the instructions in the following KAs:
 Control-M: 000391322
 Helix: 000391398

After you apply this solution, your environment is now safe. However, your software scanners can still
detect the same Log4J2 version. Therefore, BMC is planning to release a patch that will upgrade the
Log4J2 to a safe version.

On December 16th, BMC will notify you when the patches are expected to be available.

NOTE: Even if you are working with an external JRE, your components are affected, and you must follow
the steps to remove the vulnerability, as described in the KA.

If you are using unsupported versions older than 9.0.18, you must upgrade to the latest version and then
follow the steps to mitigate the vulnerability.

Up-to-date and essential information for this vulnerability in Control-M is available in 000391322 and Helix
Control-M is available in 000391398.

For more information about this vulnerability, see


https://community.bmc.com/s/news/aA33n000000TSUdCAO/bmc-security-advisory-for-cve202144228-
log4shell-vulnerability.

1
9.0.20 Components
The following table lists the vulnerability status of components in version 9.0.20 and the available solution
described in 000391322:

Component Vulnerable Immediate Solution Log4J2


Patch

 Control-M/EM Yes 1. Set environment variable Planned patch


server
2. Recycle Control-M/EM server
 Control-M Add-ons

Control-M/Server Yes 1. Set environment variable Planned patch


2. Recycle Control-M/Server

Application Pack Yes 1. Download package Planned patch


2. Replace Log4J2

Control-M MFT Yes 1. Set environment variable Planned patch


2. Recycle Control-M/Agent

Control-M MFTE Yes 1. Set environment variable Planned patch


Gateway
2. Recycle MFTE Gateway

Control-M/Agent No
(without Application
Pack or MFT)

Automation API No

2
9.0.19 Components
The following table lists the vulnerability status of components in version 9.0.19 and the available solution
described in 000391322.

Component Vulnerable Immediate Solution Log4J2 Patch

 Control-M/EM server Yes 1. Set environment Planned patch


variable
 Control-M Add-ons
2. Recycle Control-M/EM
server

Control-M/Server Yes Patch available at the Planned patch


end of the week.

Application Pack Yes 1. Download package Planned patch


2. Replace Log4J2

Control-M MFT/MFTE Yes 1. Update XML file Planned patch


2. Recycle Control-
M/Agent

MFT Gateway Yes 1. Update XML file Planned patch


2. Recycle Gateway

Control-M/Agent (without No
Application Pack or MFT)

Automation API No

3
9.0.18 Components
The following table lists the vulnerability status of components in version 9.0.18 and the available solution
described in 000391322:

Component Vulnerable Immediate Solution Log4J2 Patch

 Control-M/EM server No

 Control-M Add-ons

Control-M/Server Yes Patch available at the


end of the week.

Application Pack Yes 1. Download package Planned patch


2. Replace Log4J2

Control-M MFT/MFTE Yes 1. Update XML file Planned patch


2. Recycle Control-
M/Agent

MFT Gateway Yes 1. Update XML file Planned patch


2. Recycle Gateway

Control-M/Agent (without No
Application Pack or MFT)

Automation API No

Control-M Plug-ins
The following table lists the plug-ins that are not affected by this vulnerability:

Component Vulnerable Immediate Solution Log4J2 Patch

Control-M for Oracle Retail No

Control-M for Oracle BI No

4
Component Vulnerable Immediate Solution Log4J2 Patch

Control-M for PeopleSoft No

Control-M for SAP No

Control-M for Oracle E-Business No


Suite

Control-M for Web Services, No


Java and Messaging

Control-M for Cloud No

Control-M for Cognos No

Control-M for IBM InfoSphere No


DataStage

Control-M for SAP Business No


Objects

Control-M for AFT No

Helix Control-M Components


The following table lists the vulnerability status of components in Helix Control-M and the available
solution described in 000391398:

Component Vulnerable Immediate Solution Log4J2


Patch

Control-M/Agent No

5
Component Vulnerable Immediate Solution Log4J2
Patch

 Databases Plug-in Yes 9.0.20.080: Download package Planned patch

 Hadoop Plug-in 9.0.20.180:


 Application 1. Set environment variable
Integrator Plug-in
2. Recycle Control-M/Agent
 AWS Plug-in
 Azure Plug-in
 Informatica Plug-
in

MFT Plug-in Yes 1. Set environment variable Planned patch


2. Recycle Control-M/Agent

SAP Plug-in Yes 1. Set environment variable Planned patch


2. Recycle Control-M/Agent

BMC has taken immediate actions on the platform to remediate the issue.
Additional security updates will be applied in a few days (a maintenance notification will be released 24
hours prior to the update).

If you have any questions about the issue, contact BMC Customer Support at 800 537 1813 (United
States or Canada) or call your local support center.

Where to Get the Latest Product Information


To view the latest BMC documents, see the Support Central website at http://www.bmc.com/support.
Notices such as flashes, technical bulletins, and release notes are available on the website. You can
subscribe to proactive alerts to receive e-mail messages when notices are issued or updated. For more
information about proactive alerts, see the Support Central website.

6
© Copyright 2021 BMC Software, Inc
BMC Software considers information included in this documentation to be proprietary and confidential.
The information contained in this document may not be shared with anyone other than with persons in
your organization with a need to know such information.
Your use of this information is subject to the terms and conditions of the applicable End User License
Agreement (“EULA”) for the product and the proprietary and restricted rights notices included in this
documentation. In no way does this document create warranties additional to those granted in the EULA.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written
permission of BMC Software, Inc.
BMC, BMC Software, the BMC logo, and other BMC marks are the exclusive properties of BMC Software,
Inc. and are registered or may be registered with the U.S. Patent and Trademark Office or in other
countries.
Restricted rights legend
U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER
THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and
computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Field
52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and DFARS 252.227-
7025, as amended from time to time. Contractor/Manufacturer is BMC SOFTWARE INC, 2103 CITYWEST
BLVD, HOUSTON TX 77042-2827, USA. Any contract notices should be sent to this address.

You might also like