Interesting, this seems like a cleaner option to use. Can much more easily tell if it is exists or not and if it is set to true or not.
I can handle the actionscript to set this on windows, but for everything else, especially UNIX, how do you set the env vars on the command line or file?
Having to use a file instead of a command is kind of a pain in some cases if the env var already exists.
I wonder if the env var must be set to exactly "true"
or if it is case insensitive?
This would be TRUE on any system that needs this env var, and I am assuming it is case sensitive for now:
not exists unique values whose(it contains "true") of values of (variables ("LOG4J_FORMAT_MSG_NO_LOOKUPS") of it; (if (windows of operating system) then (x64 variables ("LOG4J_FORMAT_MSG_NO_LOOKUPS") of it) else NOTHINGS) ) of environments
I would say this action will require a restart for 2 reasons. One is that the bigfix client wonât update the results of env vars until restart of the agent I believe, but also, you must restart any services that launch JVMs for this setting to get picked up, and there might be an unknown number of services that would be affected, so it is hard to restart only the services that need it.
I havenât tested this, but this is what I came up with for actionscript:
// Note, this currently only handles windows, but could be expanded to handle other cases.
continue if {windows of operating system}
if {windows of operating system}
waithidden CMD /C setx LOG4J_FORMAT_MSG_NO_LOOKUPS true /m
if {x64 of operating system}
action uses wow64 redirection False
waithidden CMD /C setx LOG4J_FORMAT_MSG_NO_LOOKUPS true /m
endif
action requires restart
endif
// TODO: add actionscript to set env vars on non-windows:
The idea is to remove the continue if
later once non-windows use cases are handled, as well as move the action requires restart
to after the endif
This will be relevant on ALL systems, even those without apparent Java installed, but that is intended.
Seems like this command didnât work for me:
CMD /C set LOG4J_FORMAT_MSG_NO_LOOKUPS="true"
and this one doesnât keep the quotes?
CMD /C setx LOG4J_FORMAT_MSG_NO_LOOKUPS "true" /m
Is setx
available on most windows OSes? Not sure how far back it goes.
Looking closer to the referenced MS doc, seems like the quotes are not needed.
Fixlet to apply this mitigation on windows here: bigfix-content/fixlet/set LOG4J_FORMAT_MSG_NO_LOOKUPS env var to TRUE - Universal - CVE-2021-44228 mitigation.bes at main ¡ jgstew/bigfix-content ¡ GitHub