Security Advisory for CVE-2021-44228 Log4Shell Vulnerability

Source

Summary

A zero-day exploit for a vulnerability code-named Log4Shell (CVE-2021-44228) was publicly released on December 9th, 2021. A detailed description of the vulnerability can be found on the Apache Log4j Security Vulnerabilities page under the section “Fixed in Log4j 2.15.0”.

BMC Software became aware of the Log4Shell vulnerability on December 10th, 2021. The BMC Product Security Group immediately conducted an assessment across BMC’s codebase and alerted its R&D product teams to perform further analyses of BMC products to determine the impact of this vulnerability.

BMC’s R&D product teams have been actively working on hardening potentially affected BMC products as required. As soon as fixes are available, BMC will notify customers about remediation measures to take.

BMC’s SaaS Security team for the BMC Helix platform has validated the environment for systems and services that may be affected by the Log4Shell vulnerability.  After review, BMC immediately updated threat detection signatures and policies, and implemented custom-block rules at the edge. The SaaS Security team continues to review and monitor this situation and will provide updates if anything changes.

This advisory will be updated as additional information becomes available. If you require any other information, please contact BMC using our customer support channel.

BMC is actively evaluating its products to determine the impact of the Log4Shell vulnerability.

BMC Products Under Evaluation 

Service Management 

  1. BMC Helix ITSM
  2. BMC Helix Discovery
  3. BMC Helix Remedyforce
  4. BMC Helix Digital Workplace
  5. BMC Helix Business Workflows
  6. BMC Helix Client Management
  7. BMC Helix CMDB
  8. BMC Helix Knowledge Management
  9. BMC Helix Operations Management with AIOps
  10. BMC Helix Platform
  11. BMC Helix Remediate
  12. BMC Helix Virtual Agent
  13. Remedy ITSM (IT Service Management)
  14. Footprints
  15. Track-It!

Automation 

  1. BMC Helix Control-M
  2. Control-M
  3. Cloud Lifecycle Management
  4. TrueSight Automation for Networks
  5. TrueSight Automation for Servers
  6. TrueSight Orchestration
  7. Bladelogic Database Automation

Operations 

  1. BMC AMI Ops
  2. BMC Helix Automation Console
  3. BMC Helix Cloud Cost
  4. BMC Helix Cloud Security
  5. BMC Helix Continuous Optimization
  6. BMC Helix platform
  7. BMC Helix Remediate
  8. TrueSight Capacity Optimization
  9. TrueSight Infrastructure Management
  10. TrueSight Operations Management

Mainframe

  1. BMC AMI Products
  2. MainView Middleware Administrator
  3. MainView Middleware Monitor
  4. BMC Compuware

References

Would you like to know more?