This is much cleaner, sadly I couldnt clean it up, in the middle of all this and plenty to go so “as is”, your update looks really good
1 Like
Not sure if this may be handy to anyone here
https://bigfix.me/fixlet/details/26896
I just created it and tested on Windows only, but it is multiple platform based in one hit, we had instrunctions to simply remove some of the log4j files, then it was decided to just make them dormant via rename.
Enter this task, it renames files on any OS to have .bak.yyyymmdd.hhmmss extension so it can be restored if needed.
Generates and runs (windows in this case)
Its pretty simple to operate and can almost directly take results from this threads analysis!
Use with extreme caution, I couldnt test *NIX today its 5am here and Im about to crash!
It is pretty easy to convert to use a file also, if you are handy with the ole relevance, should be just the download part really and remove the createfile section. I needed an easy way for non experienced operators to do this tho.
Have a look for the line
parameter “FilePattern”=“log4j-core*.jar”
Excellent Work! It’s so nice to see someone else has embraced the power of dir. 
1 Like
I’ve updated the Analysis, again, with better description and I’ve removed the sha256 hashes and comparisons, leaving only the sha1 comparisons which work on more of the older BigFix versions.
2 Likes
That seems pretty dangerous from a “likely to make the product stop working” perspective. I’d expect most applications that depend on Log4j to crash if Log4j is not present.
1 Like
Welcome mate… with the power of the BigFix community we will slay this beast!
2 Likes
Is there a way to display and copy the data of “multiple results” without hovering over or opening each server to see the file paths and locations?
Thanks,
Chris
Changing the view to “View as Summary” at the upper-right may be helpful but it won’t show the individual machines for each result. The best way to view the results is probably through Web Reports.
In Web Reports, add one of the properties as a Column and click the “+” to expand results into separate rows
Then it’ll show multiple rows for any computers with multiple results, like those here:
2 Likes
It’s really wild to me too, I didn’t recommend it, but at least got them to rename it only.
I can see where this is appropriate
Vendors have also suggested it, plus backup copies and redundant copies in applications. This thing is everywhere!
Hi Jason,
After execute the task how much time it will take to get the results.
Depends on the size of the file system, I’ve had anything from 3 minutes to 15 so far.
1 Like
@JasonWalker … a small improvement suggestion for macOS. I found that
find /
does not inspect inside each application package. I worked out this command that seems to do the trick to find log4j inside package contents.
ls -R /Applications/* | awk ‘/:$/&&f{s=$0;f=0} /:$/&&!f{sub(/:$/,“”);s=$0;f=1;next} NF&&f{ print s"/"$0 }’ | grep -i <search_pattern_in_regex>
This is what I was using for my regex that most closely resembles your search pattern (but I’m not the regex expert):
“log4j-core.*\.jar”
The idea is to run this in the /Applications/* scope only after the find command and append to the text file
2 Likes
Hi Jason,
I have downloaded the task and analysys for testing and results are taking time it’s almost 5-6hrs for windows and linux not yet updated in the results.
I think either your bigfix instance is broken or you didn’t actually set up the scan task action.
It works quite well. Have a look at what you are doing first
In the latest download, I defaulted the Analysis Properties to evaluate “every 6 hours” to reduce client workload.
You can update it to evaluate more frequently (I wouldn’t recommend more frequently than once per hour), oruse “Send Refresh” to a few clients and they should update it.
Good point- did you take an Action from the task?
Vulnerability Scan: Log4j CVE-2021-44228 I have initiated the action on some servers and waiting for the results in analysys.
I’m still inclined to think something is wrong with your service if no results up yet. Something surely would have reported in meantime.
If you believe it’s all working and action is sent. Then perform a send refresh to one or 2 machines and it should populate quickly
I have changed the evaluate hours now getting the results.
Thanks
1 Like