BigFix Compliance SCA from v2.0.1 to v2.0.4 include a version of the libary Log4j which has a vulnerability (CVE 2021-44228 and CVE-2021-45046) reported recently. Internal testing made by the Compliance team has revealed that this vulnerability is not exploitable in the BigFix Compliance product, but the BigFix team still recommends immediate remediation to eliminate any exploitation risk. Fixlets have been released to update the version of the library as well as a mitigating configuration option. Both fixes can be applied to ensure remediation, but one or the other is sufficient.
Published Site: SCM Reporting, version 144
Actions to take:
If running BigFix Compliance versions 2.0.1 or later, please run the two new Fixlets in the SCM Reporting site to remediate and mitigate the vulnerability.
1008: CVE-2021-44228 Log4j - Disable Lookups for BigFix Compliance
1009: CVE-2021-44228 and CVE-2021-45046 Log4j - Update log4j to 2.16.0 for BigFix Compliance
For more details about the actions that these fixlet execute, please see KB https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486