License and inventory content modification - BigFix Log4j Scanning Fixlets - BES Inventory and License 195

The BigFix team is very pleased to announce the release of version 1.1 of BigFix Log4j Scanning Fixlets.

This Fixlet enables organizations to quickly scan their device ecosystem and gain visibility and measurability into where vulnerable versions of Log4j exist on their devices. The Fixlets will scan through various places where Log4j can be found, including .jar files as well as in java archives. Regardless of which of the scans methods you execute, BigFix can retrieve the results in a single analysis.

These Fixlets will enable you to:

  • Better discover, track, and understand your Log4j affected assets
  • Quickly identify, prioritize, and prioritize issues by having the dependency context of your devices
  • Mitigate the most critical of the vulnerabilities, CVE-2021-44228 and CVE-2021-45056 in Log4j-core-2.16.0 and lower, by removing the JndiLookup.class file from the affected versions.
  • Rollback the mitigations of CVE-2021-44228 and CVE-2021-45056, by restoring the original, vulnerable versions of the Log4j-core file in case of application breakage

Both Mitigation and Mitigation-rollback are a best-effort from the BigFix team. Careful testing should be taken in your environment before applying or rolling back mitigations.

“Mitigated” versions of Log4j remain vulnerable to the later CVEs, including CVE-2021-45105 and CVE-2021-44832 which can be resolved only by upgrading to Log4j 2.17.1

These tasks will:

  • Download a platform specific JRE or JDK
  • Download a log4j-scan utility JAR file from Logpresso
  • Run the log4j-scan utility JAR with the platform specific JRE or JDK to Scan, Mitigate, or Rollback Mitigations
  • Save results to a file. Results available in an analysis
  • Delete the platform specific JRE or JDK when the scan is completed.

The following platforms are currently excluded:

  • Windows 2012 or older, Windows 8 or older
  • Linux Z and Linux PowerPC Big Endian
  • HP-UX

Important Notes:
This Fixlet relies on an underlying open-source component from LogPresso, a vendor of security solutions. Please ensure that your organization approves using open-source technology from this vendor. HCL Software/BigFix is NOT responsible for the integrity or safety of the LogPresso technology. If you do not want to use the component from LogPresso, do NOT use this Fixlet.

The scan should not be deployed all at once on all systems due to potential impact to shared network and disk resources.

The scanner will try to avoid common network file shares and will not follow symlinks to help prevent common potential problems, but this is not a guarantee that all cases are covered. If you know you need to exclude specific paths, those can be added in the field below.

A BigFix task that can also do mitigation of Log4j vulnerabilities using the same technology is available if you contact us or unofficially through the BigFix community

Published Content:
BES Inventory and License Site version 195

  • Update Logpresso scanner to version 2.7.1

  • Analysis 601: log4j2-scan results
    – Added Property “log4j Scan - Log4j versions found”
    – Added Property “log4j Scan - Number of Logpresso Mitigation Rollback Files”
    – Added Property “log4j Scan - Logpresso Mitigation Rollback Files”

  • Task 602: Run: log4j2-scan v2.7.1 - Universal JAR - Download JRE

  • Task 603: Run: log4j2-scan v2.7.1 - Universal JAR - Download JRE - WITH REMEDIATION

  • Task 604: Run: log4j2-scan v2.7.1 - Universal JAR - Download JRE - UNDO REMEDIATION