How to use BigFix Inventory to discover applications that may be affected by Log4j vulnerability (CVE-2021-44228) as well as other potential vulnerabilities
Java-based applications that use Log4J 2.x library version earlier than 2.15 may be affected by CVE-2021-44228. BigFix Inventory helps you to discover if the affected versions of Log4J are deployed on your environment. It also helps you to identify which applications use the affected version of Log4J. However, there are other known Log4j vulnerabilities for 1.x that this article will show how to handle.
This article describes three approaches that you can use that span an initial assessment to a detail audit of Log4J use in your environment using custom template signatures. These custom template signatures will work without changing the default BFI behavior to gather additional data on all .jar files. Changing the default BFI behavior to gather significant additional endpoint data such as details of all *.jar files could create performance issues in production workloads and should be approached with caution.
The process to use the custom template signatures is the same in all three approaches:
- Download the signature file from URL provided under every type of discovery described.
- Login to BigFix Inventory.
- Go to Management -> Catalog Customization.
- Import the file with the custom signature.
- Run an import process.
- Make sure that the catalog was propagated to the endpoints (automatically created action for propagation the endpoint executed on all applicable endpoints).
- Run a software scan on the endpoints.
- Ensure the Upload Software Scan Result fixlet is running.
- Run an import process to import the scan results.
- Verify the results on the reports.
Three sample forms of Log4j asset discovery from custom signatures:
1. Initial assessment - search for all log4j-core-*.jar files in version between 2.0 and 2.15
In the initial assessment, you can use a custom signature that searches on BigFix endpoints for JAR files that contain core functionalities of Log4J - file with names that fill pattern log4j-core-*.jar. This signature is available at: https://www.bigfix.me/signature/details/1244
After scanning your endpoints with this signature, BigFix Inventory will provide you with a report that contains information about all Log4J core libraries in version between 2.0 and 2.15, including detailed version of it as well as its location on the disk. You can use the installation path to understand which application uses this Log4J library.
2. BigFix Inventory search for all Log4j installations, including log4j api, log4j core, log4j-1 and log4j-2
For a detailed auditing of Log4J installation, BigFix Inventory provides an additional signature that searches for files with the patterns log4J-api-.jar, log4j-core-.jar, log4j-1 and log4j-2 and collects information about all occurrences about them irrespective of their version. The signature will provide the detailed version and the JAR location information. Refer to the previous section to get information on how to use it. Regular component version displayed after discovery is 0.any_version and detailed version contains information about current patch level of this library. This signature is available at: https://www.bigfix.me/signature/details/1253
3. Detailed auditing Log4J deployments - search for all files with the log4j in JAR file name (pattern *log4j*.jar)
In case you have applications, for which the developers have changed the names of Log4J JAR files from original ones, you may need to do a more detailed auditing of JAR libraries to understand which applications use Log4J. BigFix Inventory provides a signature that scans all JARs with pattern name, log4j.jar and it is available under the link below. Note that in such a case, BigFix Inventory will not report the detailed version information. BigFix Inventory will report the path to identified JAR files. Regular Component Version displayed after discovery is 0.any_version. This signature is available at: https://www.bigfix.me/signature/details/1254.