The issue is fixed in version 8.6 SP1 Patch 2, 8.7 Patch 3, and in versions 8.8 and 8.9.
For RSCD agents of other versions, the remediation to CVE-2016-1542 and CVE-2016-1543 is provided in the form of a BMC BladeLogic Server Automation (BSA) Compliance Template. A zip file containing the Template package is located here:
Note: This link is to V6 of the solution which was released on 01/27/2017 and contains some enhancements over the earlier versions (V1, V2, V3, V4 and V5).
The package will update two library files on the Target Server and will automatically restart the BSA RSCD Agent Service.Detailed instructions on how to import the Compliance Template and run Discovery, Compliance and Remediation jobs are located in the attached Word document.
- V2 contains the following fixes/enhancements over the original version.
- Checksums are now gathered via Extended Object to avoid BSA 8.5.1 (pre patch 5) issues gathering the checksum.
- Added UNDO functionality to all BLPackages to allow the changes to be rolled-back
- Updated the Agent Restart logic to help avoid restart issues on some platforms including HP-UX and Solaris
- V3 contains the following additional fixes/enhancements
- Determine if ‘at’ is available, and use it to start the file switch and restart now+1min, or if not use a ‘su –‘ command w/ a sleep of 60s.
- Perform the copy of the files while the agent is down
- Directly kill the rscd processes w/ logic from the 8.5+ init script instead of trying to call the existing init. This was to handle older agents that have a symlink in their install path.
- V4 contains the following additional fixes/enhancements
- Corrected issue checking "at"
- Fix for AIX issue (QM001882081) w/ original fix libraries
- Exclude 8.7 Patch 3 and 8.8 agents (which have the fix out of the box).
- Fix issues with run_cve_fix.sh not working on aix (quoted paths)
- V5 contains the following additional fixes/enhancements
- Excludes 8.6.01 Patch 2 from the checks as this version has the fix.
- V6 contains the following additional fixes/enhancements
- Corrected issue with the "at" check made in V4.