Server Automation - Log4J

Meydey 2021-12-22 20:15:04 UTC #1

I am seeing an instance of log4j on my root server under the SA PlanEngine folder. Has there been any guidance on updating SA? The last update was in Sept if I remember correct. Did not find anything for SA on the Known BF Issues link.

\BigFix Enterprise\BES Server\Applications\PlanEngine\lib\log4j-api-2.4.jar

JasonWalker 2021-12-22 22:10:42 UTC #2

The vulnerabilities appear to be only in log4j-core-X.jar, not in log4j-api-X. We don’t include log4j-core in Server Automation.

We are planning a version refresh in a future Server Automation release, but SA is not vulnerable to the CVEs disclosed over the last couple of weeks.

Meydey 2021-12-22 22:19:22 UTC #3

Ok. We are getting questioned on Log4J-anything now and trying to explain the difference to management is fun.
Thanks Jason

JasonWalker 2021-12-22 22:35:27 UTC #4

Happy to help. If it’s useful at all you can find and reference this statement on the vulnerabilities from the Apache page at https://logging.apache.org/log4j/2.x/security.html#

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

JasonWalker 2021-12-23 13:43:46 UTC #5

Well, as a matter of fact… Content in the BigFix Server Automation site has been modified 2021-12-23

Meydey 2021-12-23 17:31:30 UTC #6

Ask and ye shall receive. Perfect, thanks