License and inventory content modification - BigFix Log4j Scanning Fixlets - BES Inventory and License 198

The BigFix team is very pleased to announce the release of updated of BigFix Log4j Scanning Fixlets.

This Fixlet enables organizations to quickly scan their device ecosystem and gain visibility and measurability into where vulnerable versions of Log4j exist on their devices. The Fixlets will scan through various places where Log4j can be found, including .jar files as well as in java archives. Regardless of which of the scans methods you execute, BigFix can retrieve the results in a single analysis.

These Fixlets will enable you to:

  • Better discover, track, and understand your Log4j affected assets
  • Quickly identify, prioritize, and prioritize issues by having the dependency context of your devices
  • Mitigate the most critical of the vulnerabilities, CVE-2021-44228 and CVE-2021-45056 in Log4j-core-2.16.0 and lower, by removing the JndiLookup.class file from the affected versions.
  • Rollback the mitigations of CVE-2021-44228 and CVE-2021-45056, by restoring the original, vulnerable versions of the Log4j-core file in case of application breakage

Both Mitigation and Mitigation-rollback are a best-effort from the BigFix team. Careful testing should be taken in your environment before applying or rolling back mitigations.

“Mitigated” versions of Log4j remain vulnerable to the later CVEs, including CVE-2021-45105 and CVE-2021-44832 which can be resolved only by upgrading the Log4j version

Updated Tasks:
BES Inventory and License Site version 198

  • (Changed) Task 603 Run: log4j2-scan v2.9.2 - Universal JAR - Download JRE - WITH MITIGATION
    – CVE information has been removed from this Task to prevent false-positives in the CVE Search Dashboard. The task remains available for administrators who need a “one-task” Scan & Remediation without executing a prior scan (while this is not recommended for existing systems, where a prior scan should be used to identify and classify vulnerable instances, this could still be useful when generating new system images)

  • (New) Task 605 Log4j : Apply LogPresso Mitigations (v2.9.2) - Mitigable Version Found
    – Becomes Relevant only where a prior scan has identified Log4j instances with vulnerabilities that can be mitigated by removing specific Java classes from the .JAR file (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307).
    – Note that after mitigation, the Log4j instance may still remain vulnerable to the non-mitigable CVEs listed below.

  • (New) Task 606: Log4j : Audit: LogPresso Mitigations (v2.9.2) - Non-Mitigable Version Found
    – Becomes Relevant only where a prior scan has identified Log4j instances with vulnerabilities that cannot be mitigated by removing Java classes from the .JAR file. These vulnerabilities may only be removed by upgrading to a higher version of Log4j (version 2.17.2 at time of writing)
    – This task has no Action and is present to report CVE-2021-44832, CVE-2021-45105, CVE-2017-5645, CVE-2020-9488, and CVE-2021-42550

  • (Unchanged) Task 604 Run: log4j2-scan v2.9.2 - Universal JAR - Download JRE - UNDO MITIGATION
    – This task is unchanged, and will continue to rollback the mitigations applied by either Task 603 or Task 605

1 Like

It looks like IBM updated the download links?

Yes, it does look like IBM has replaced the download links to Java 8 for the AIX PowerPC and s390 platforms. We will need to update the fixlet.

Do you have those platforms? If those platforms are not required in your deployment, you could create a custom copy of the task and remove the AIX downloads in the prefetch block to allow it to continue on your other platforms, if those downloads are preventing it from continuing on other machines.

I don’t have those platforms and I removed the prefetch commands for AIX

Hi Jason,

We do have AIX PowerPC and s390 platforms.

This topic was automatically closed after 30 days. New replies are no longer allowed.