anderskarlsson asked a question.
How do we identify applications, devices, and services using the Log4J library (regarding CVE-2021-44228) or maybe Snow itself does?
Hi @Detlev Eufinger​,
how can I find this information in Risk Monitor?
I wasn't able yet to find it there.
BR,
Uwe
Expand Post
Hi
Use report "File per Computer" and on criteria choose "Description (File)" or "Executable path" and Like string %log4j-core%.jar%
Many good guides around the internet regarding this massive vulnerability, here from Microsoft
As for Snow products I do not see anything in Snow Inventory Server or Snow License Manager using this. Guess Snow will do a statement on it when they have finished investigating like all vendors are scrambling to do
/Preben
Expand Post- Detlev Eufinger (Flexera Software)
Hi Preben,
yes you can go this way but ...
In the Java ecosystem, dependencies are distributed as Java archive (JAR) files, which are packages that can be used as a Java library. Commonly used tools, such as Maven and Gradle, can automatically add JAR files as you build your Java application. It’s also possible for a JAR to contain another JAR to satisfy a dependency, which means a vulnerability can be hidden several levels down in your application. In some situations, one dependency pulls in hundreds of other dependencies making it even more difficult to find.
Essentially, in the Java world, you can have a JAR nested in a JAR nested in a JAR. This creates many layers that all need to be investigated. Just looking at the JARs your project pulls in directly may not be enough, since Log4j could be hiding inside of another JAR file!
Expand PostHi Detlev,
How do we identify applications, devices and services using the Log4J library (regarding CVE-2021-44228) without Risk Monitor? Is it possible to identify Log4J on case you descript above?
Does Risk Monitor have more enriched data than SLM/Adoption Tracker to be able to identify applications, devices and services using the Log4J library?
Expand PostHi Detlev! I ran the Files per computer with "Description (file)" like %log4j%. However, I got several rows where path is empty. How can the path be empty for a file?
I tried to look at the information directly in the Inventory database, but didn't manage to find the correct table/view. Do you happen to know which table(s) are relevant?
Expand Post- Karen Peacock (Flexera Software)
Hi @Jonas Nilsson​
Just wanted to check that you've seen this guide which may be helpful: https://community.flexera.com/s/article/How-Snow-can-help-with-CVE-2021-44228
Hi Karen! Yes I did that prior to my post. While that is good, it did not touch my questions.
This is useful even if it is not comprehensive but from what I can see in the report it is partly misleading, I myself have Apache Directory Studio (which I know has log4j) installed on my own computer but it is not included in the report no matter what the criteria looks like.
Hi all I wanted to share that there has been a new post on the New & Updates group: https://community.flexera.com/s/feed/0D5690000B5879cCQA
Also that we have put together some guidelines and insights about how Snow can help with finding potential installations affected by CVE-2021-44228. As we learn more we will be sure to update and improve the advice we've given here: https://community.flexera.com/s/article/How-Snow-can-help-with-CVE-2021-44228