Make the script executable with the command: chmod +x rm_log4j.sh.Copy the downloaded rm_log4j.sh to the $HOME directory of the Control-M/Agent user.Download the rm_log4j.sh (Unix/Linux) or rm_log4j.bat (Windows) scripts from this article.Option A: Use the attached scripts, and run directly on the Agent host to delete the vulnerable files (Permanent solution) It is recommended that these files be preserved so the ability to roll back is available if required. bak files flagged in the report to a different location. To prevent this warning, you can move the. A static scan may issue a warning for the backup files as a CVE-2021-44228 security threat, even though the threat has been addressed. bak. The product is not using jar files with the suffix. Once the JNDILookup class has been deleted the vulnerability is removed.ģ) Applies only to Option D: When the ctmag-Log4jScanner is executed, every jar that is vulnerable is backed up in its directory with the suffix. According to Apache deleting JNDIManager class is not part of the vulnerability mitigation. BMC recommends option A or B or Cġ) These options will not affect Agent functionality or the execution of jobs.Ģ) The scanning tool may flag the JNDIManager class as a vulnerability. Option D: Run the BMC log4jScanner (Immediate mitigation) Option C: Use Operating system commands to manually delete the vulnerable files (Permanent solution) Option B: Use Control-M Embedded Script type job(s) to delete the vulnerable files (Permanent solution) Option A: Use the attached scripts, and run directly on the Agent host to delete the vulnerable files (Permanent solution) Use one of the following three options to address this issue: This toolbox option is run for a very limited time according to the parameters given. Only a user who is logged in to the system can access this toolbox utility and it cannot be triggered from outside of the system. This toolbox option does not start any service or open any port for external communication so it cannot be accessed by an external user. The vulnerable option is Control-M Toolbox -> Agent help Tools -> (3) System Monitoring. It is not part of the Agent's main processes and therefore does not get executed if you do not run the toolbox utility manually. The vulnerability has been found in one of the Control-M/Agent's toolbox options which is only used for troubleshooting purposes. How to mitigate vulnerability CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 in Control-M/Agent?Ĭontrol-M/Agent processes are not exposed to the vulnerabilities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |