By now, many of us are familiar with reported critical vulnerabilities in Log4j, a common logging component used in many Java applications.
The BigFix team has coordinated community responses to help identify applications where affected Log4j components may be in use, in the Forum thread at Log4j CVE-2021-44228 . This new thread is to address areas where BigFix components themselves can be affected.
The BigFix team has published a knowledge article at https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486 referencing where BigFix may be impacted and workarounds that should be applied. This will be updated over time with additional workaround instructions.
While our development teams are continuing to evaluate our product line and areas that need to be addressed, we can share that there are some areas where customers can take action to reduce any potential risk in our products.
BigFix does use the affected Log4j components in several areas. We have not yet confirmed any areas where we have an actual vulnerability – where we accept user input, and where the Log4j component is configured for dynamic lookups based on that user-provided input. For maximum safety though we can recommend workarounds to reduce potential impacts.
The BigFix core platform - Root Server, Relay, Client, Web Reports, and WebUI - do not make use of the Log4j components and are not impacted.
BigFix Compliance, BigFix Remote Control, BigFix Inventory’s “Virtual Machine Manager” (VMM) component and “SAP Tool” component, BigFix Server Automation’s Orchestrator Engine, and the BigFix Management Extender for VMWare VCenter do make use of Log4j components. Each are detailed below.
BigFix Compliance -
BigFix Remote Control
BigFix Remote Control Server uses Log4j version 1.2.x. This version does not provide the JNDI dynamic lookup feature and appears to be not affected.
Other Remote Control components do not use the Log4j component.
Watch https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486 for updates.
BigFix Inventory VMM Manager:
BigFix Inventory SAP Tool:
Apply the workaround for VMM Manager and SAP Tools as described at https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486
BigFix Server Automation Engine:
BigFix Management Extender for VMWare VCenter:
Update: these components are not affected