BigFix Inventory: Application Update 10.0.7.0 published 2021-12-15

Product:

BigFix Inventory application update 10.0.7.0

Published site version:

BigFix Inventory v10 - version 148.

Features:

BigFix Inventory delivers increased value and demonstrates HCL’s commitment to both HCL and IBM customers.

There are five key features of HCL BigFix Inventory 10.0.7.0:

  • Support for software discovery in containers
    BigFix Inventory now supports the discovery of software in Docker container images through standard discovery methods including catalog signatures, template signatures, installation registry and ISO SWID tags to cover traditional model of software deployment.
    In addition, the application provides information about software running in containers, the container instances with basic properties and their current status. This information allows to determine the software deployment across container resources that are allocated.

  • Support for new platforms and systems including
    * Windows 11 by using the BigFix client 10.0.4 or higher
    * Debian 11 x86 32 and 64-bit

  • Software Catalog version 10.0.7.0
    Added capability to discover 440+ software versions for software titles and publishers, such as Adobe, Citrix, Microsoft, SAP, VMware and many more.

  • Technical equivalence to IBM License Metric Tool 9.2.25
    Note: As usual, the new version is still under certification process by IBM on the release date. To view the status of IBM validated releases refer to:
    http://public.dhe.ibm.com/software/passportadvantage/SubCapacity/BFI_and_HCL_FAQ.pdf

  • Security enhancements
    log4j library, that is included in VM Manager tool and SAP tool, is updated to version 2.15.0 to address CVE-2021-44228.
    Note: BigFix Inventory is not affected by CVE-2021-45046.

To view the complete list of new features and defects that were fixed in this application update, refer to the following link: https://support.bigfix.com/bfi/BigFix-Inventory-10.0.7.0-ReleaseNotes.pdf

For more information about discovery capabilities, refer to Catalog Release Notes: https://software.bigfix.com/download/tema/catalog/BFI_catalog_release_notes.pdf

To view the complete catalog content, use the Software Components report in BigFix Inventory.

For status of IBM validated releases, see http://public.dhe.ibm.com/software/passportadvantage/SubCapacity/BFI_and_HCL_FAQ.pdf

Actions needed:

  • To upgrade the BigFix Inventory server to application update 10.0.7.0, run the Upgrade to the latest version of BigFix Inventory fixlet from the BigFix console.

  • To upgrade the BigFix Inventory scanner, run the Install or Upgrade scanner fixlet from the BigFix console.

  • To apply new discovery capability, run the Software Catalog Update fixlet from the BigFix console and then wait for the next data import.

For more information about how to install, maintain, and use BigFix Inventory application, refer to the user documentation: https://help.hcltechsw.com/bigfix/10.0/inventory/welcome/BigFix_Inventory_welcome.html

– The BigFix Inventory Team

1 Like

Is BFI 10.0.7.0 (that upgrades log4j to 2.15.0 in the VM Manager Tool) urgent if https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486 BFI workaround was completed (Add the line -Dlog4j2.formatMsgNoLookups=true) ?

It’s a risk-based decision. My own opinion is that it is urgent if you’ve only done Workaround 3 (Adding the -Dlog4j2.formatMsgNoLookups=true parameter), because that workaround has been shown to not be effective against all of the potential exploits; it is less critical if you’ve done Workaround 1 (replacing the log4j-core-2.16.0.jar file.)

Thanks for the info.
Will HCL be providing a BFI update that includes log4j 2.16?

We consider log4j update to 2.16.0 in the next BFI update as currency option. Note that BFI is not affected by CVE-2021-45046 that is addressed in 2.16.0.

2 Likes

thanks you…

Apologies, but I’m forever rusty on Inventory.

I’ve updated our Inventory application to 10.0.7, but the catalog still reads 10.0.5. Does the catalog update by itself, eventually?

It should update on the first import

Ah ha! So I’ll just wait for the normal imports late this evening. Thanks.

Just to get my head round this :smiley:

This is what I’ve done so far:

Catalog Update > Data Import then Import New Custom Signatures

Will I need to run another catalog update as the catalog update done before won’t have the new custom signatures?

You don’t need to run a new Catalog Update, but you do need to run another Import.

During the Import the server merges your custom updates into the catalog.

If you have the Inventory server set up to distribute updates catalogs automatically, it’ll send an Action to the clients to update the client catalogs, otherwise it’ll create a Task that you can action separately to the clients.

1 Like

I am getting queried by management why this was not updated to 2.16 even if it is not vuln to the newer CVE.
Has any tested workaround #1 after upgrading to 10.0.7?

Edit: My Infosec is asking for all possible remediation to go to 2.16 no matter what. And if that’s what is required on a spreadsheet to management, then guess what…2.16 it is.

Yes, you can update log4j to 2.16.0 also in 10.0.7.0. So please follow the workaround #1 from KB.

This topic was automatically closed after 30 days. New replies are no longer allowed.