Log4j and VM Manager Tool

ncpeteusa · October 20, 2022, 12:07pm

Hello

Looking in the BigFix Analysis "Scan Results CVE-2021-44228 Log4j"There appears to be a finding on the main BigFix server at the following location, "Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN\lib\log4j-core-2.17.1.jar. There appears to be a SHA1 match that is not found. Does this mean the jar file is vulnerable to Log4j. I believe this file is used as part of the BigFix Inventory VM Manager Tool version 10.0.9.

JasonWalker · October 20, 2022, 1:46pm

That appears to be from the early Analyses I put on BigFix.me. Those scans and analyses are basically superseded by our official content in the ‘BES Inventory and License’ site. That Analysis only had a list of Log4j SHA1 hashes up through version 2.16.0, it won’t recognize any higher versions.

The Log4j version 2.17.1 is still the most current version and is clear of the known vulnerabilities.