Does anyone know if the entire bigfix platform is affected?Is there a task to remedy?
The BigFix Platform is not affected by CVE-2022-22963 or CVE-2022-22965 as the Spring Framework is Java based and the BigFix Platform doesn’t use Java. The other solutions such as BigFix Inventory are being reviewed.
1 Like
Just for clarity when I say “Platform” I’m referring to the root server, relays, clients, web reports and WebUI. The other point solutions that use Java are BigFix Compliance, BigFix Inventory and Remote Control.
1 Like
Started a topic to consolidate info at Spring Framework RCE Vulnerability – Current BigFix Actions
1 Like
I prefer to have the configuration in bigfix inventory with the signatures of the files as I did in log4j , to have all the vulnerabilities controlled in the inventory report.
I agree that would be nice, but I don’t think it’s technically feasible to use Inventory alone for this. The exploits and proof-of-concepts in the wild currently depend on Spring packaged inside a .WAR archive and served through Tomcat, and Inventory doesn’t scan inside archive files.
(Also, if you’re using only Inventory to detect Log4j, you may be missing vulnerable instances for the same reason)
I’ve love to get some feedback on the scan and analysis content. Please post here or private message me and let me know if you’ve tried it, whether it’s useful, whether it’s given any issues or you can suggest improvements, etc.
@JasonWalker, the scan and analysis worked fine for me, thank you very much! I did a small tweak in the analysis to concatenate results so they were visible in the console vs ‘multiple results’.
2 Likes
Thanks for the feedback!
1 Like
Hey - Content is great. Thoughts on adding relevance to the scan task to limit the scope to endpoints running JDK >=9 and Tomcat ?
2 Likes