BigFix Compliance has a remediation for Log4j Vulnerability CVE 2021-44228

BigFix Compliance SCA from v2.0.1 to v2.0.4 include a version of the libary Log4j which has a vulnerability (CVE 2021-44228 and CVE-2021-45046) reported recently. Internal testing made by the Compliance team has revealed that this vulnerability is not exploitable in the BigFix Compliance product, but the BigFix team still recommends immediate remediation to eliminate any exploitation risk. Fixlets have been released to update the version of the library as well as a mitigating configuration option. Both fixes can be applied to ensure remediation, but one or the other is sufficient.

Published Site: SCM Reporting, version 144

Actions to take:

If running BigFix Compliance versions 2.0.1 or later, please run the two new Fixlets in the SCM Reporting site to remediate and mitigate the vulnerability.

1008: CVE-2021-44228 Log4j - Disable Lookups for BigFix Compliance
1009: CVE-2021-44228 and CVE-2021-45046 Log4j - Update log4j to 2.16.0 for BigFix Compliance

For more details about the actions that these fixlet execute, please see KB https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486

So to confirm, since I procrastinated on SCA upgrades and am running v2.0.0.18, am I clear for the current vuln? Or does the older version run v1.x which is currently eol anyways?

Should the upgrade path then be: install current version via fixlet (v2.0.4.27) and then the 2 repair fixlets, or hold off for now on v2.0.0 and wait for an updated full version of SCA?

There seems to be a bug with this upgrade. SCA stopped working.
server.xml was modified with below line

<library id='tema'>
    <fileset dir='C:\Program Files\BigFix Enterprise\SCA\wlp\usr\servers\server1/lib/' includes='log4j-core-2.15.0.jar"/>

The double quote after .jar was the problem. Had to change it to single quote.

Also i have the same question. Our SCA version is 2.0.0.18 and contemplating whether to hold off upgrading to Version: 2.0.3.19. Or is it a better idea to get upgraded and apply the fix.

Are there plans to release an updated version of the fixlet or a new one for that matter to update Log4j to 2.16.0 now that it was released as well?

Please confirm whether we should stay on an older version of SCA(2.0.0.18), or update to current version and run the remediation fixlets. Also, as ageorgiev said, the update fixlet needs to be updated.

Need to know if older SCA versions run an older log4j (v1.x) also

An updated version of the Fixlet will come out shortly to update to 2.16.0. Will also address the single quote vs double quote problem. Not sure how that has come to be. This should only run on SCA deployments 2.0.1 and later, which should be using double quotes and not single quotes. But will address either way. But if you have gotten in to that state, please replace the double quote with single quote to match syntax.

Correct, 2.0.0.18 would be unaffected as it uses log4j 1.x which is unaffected by this, but overall the product and log4j at that version have other vulnerabilities which have been resolved in newer versions. So would recommend updating when you can, but since already where you are, you can wait until our next release if you want.

Thx. I will probably sit tight until the current dust settles. I know v1.x is eol so I’ll get pinged on that I am sure.

SCM Reporting Site 144 out with updated Fixlet 1009 to update log4j to 2.16.0. Also covers cases where server.xml had single quotes. This will not repair a broken state, but should prevent from getting in that state to begin with.

If we are currently at 2.0.0.18, is it possible to replace the jar file with the 2.16.0 jar file, or would that cause issues?
Would there have been a problem if the fixlet to move 2.0.1 or later to the 2.16.0 jar file had included the 2.0.0.18 release as well?

Thanks,
Bob_K

Would the Compliance fixlet be updated to cover 2.17?

This Fixlet has been updated for 2.17.1 version of log4j.