The BigFix team is very pleased to announce the release of updated of BigFix Log4j Scanning Fixlets.
This Fixlet enables organizations to quickly scan their device ecosystem and gain visibility and measurability into where vulnerable versions of Log4j exist on their devices. The Fixlets will scan through various places where Log4j can be found, including .jar files as well as in java archives. Regardless of which of the scans methods you execute, BigFix can retrieve the results in a single analysis.
These Fixlets will enable you to:
- Better discover, track, and understand your Log4j affected assets
- Quickly identify, prioritize, and prioritize issues by having the dependency context of your devices
- Mitigate the most critical of the vulnerabilities, CVE-2021-44228 and CVE-2021-45056 in Log4j-core-2.16.0 and lower, by removing the JndiLookup.class file from the affected versions.
- Rollback the mitigations of CVE-2021-44228 and CVE-2021-45056, by restoring the original, vulnerable versions of the Log4j-core file in case of application breakage
Both Mitigation and Mitigation-rollback are a best-effort from the BigFix team. Careful testing should be taken in your environment before applying or rolling back mitigations.
“Mitigated” versions of Log4j remain vulnerable to the later CVEs, including CVE-2021-45105 and CVE-2021-44832 which can be resolved only by upgrading the Log4j version
Updated Tasks:
BES Inventory and License Site version 198
-
(Changed) Task 603 Run: log4j2-scan v2.9.2 - Universal JAR - Download JRE - WITH MITIGATION
– CVE information has been removed from this Task to prevent false-positives in the CVE Search Dashboard. The task remains available for administrators who need a “one-task” Scan & Remediation without executing a prior scan (while this is not recommended for existing systems, where a prior scan should be used to identify and classify vulnerable instances, this could still be useful when generating new system images) -
(New) Task 605 Log4j : Apply LogPresso Mitigations (v2.9.2) - Mitigable Version Found
– Becomes Relevant only where a prior scan has identified Log4j instances with vulnerabilities that can be mitigated by removing specific Java classes from the .JAR file (CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, and CVE-2022-23307).
– Note that after mitigation, the Log4j instance may still remain vulnerable to the non-mitigable CVEs listed below. -
(New) Task 606: Log4j : Audit: LogPresso Mitigations (v2.9.2) - Non-Mitigable Version Found
– Becomes Relevant only where a prior scan has identified Log4j instances with vulnerabilities that cannot be mitigated by removing Java classes from the .JAR file. These vulnerabilities may only be removed by upgrading to a higher version of Log4j (version 2.17.2 at time of writing)
– This task has no Action and is present to report CVE-2021-44832, CVE-2021-45105, CVE-2017-5645, CVE-2020-9488, and CVE-2021-42550 -
(Unchanged) Task 604 Run: log4j2-scan v2.9.2 - Universal JAR - Download JRE - UNDO MITIGATION
– This task is unchanged, and will continue to rollback the mitigations applied by either Task 603 or Task 605
