BFI Log4j vulnerabilities addressed in 10.0.7 release
BigFix Inventory 10.0.7 has now been released, and has updates to address concerns with Log4j vulnerabilities in some BFI components (VM Manager for hypervisor based metrics, SAP Tool for SAP specific metrics).
From the announcement page: BigFix Inventory: Application Update 10.0.7.0 published 2021-12-15
· “Security enhancements
log4j library, that is included in VM Manager tool and SAP tool, is updated to version 2.15.0 to address CVE-2021-44228.
Note: BigFix Inventory is not affected by CVE-2021-45046.”
CVE-2021-44228 is generally known as the first major Log4j vulnerability
CVE-2021-45046 is the secondary vulnerability discovered in Log4j
Note: These two BFI components are not widely deployed and may not even be installed in your customers BFI installation. To check whether they are installed refer to the overall BigFix Log4j vulnerability Knowledge base article: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486
Helping BFI customers to find Log4j vulnerabilities in other products
The BigFix Inventory development team has created a set of custom template signatures on BigFix.me, as well as provided detailed instructions on how to uses these signatures within the BFI product.
For additional details, please read the forum post: BigFix Inventory: discovery of applications that may be affected by Log4j vulnerability (CVE-2021-44228)