Karen Peacock (Flexera Software)
Hi Snow Community
We have put together some guidelines and insights about how Snow can help with finding potential installations affected by CVE-2021-44228 (aka, "Log4Shell"). As we learn more we will be sure to update and improve the advice we've given here: https://community.flexera.com/s/article/How-Snow-can-help-with-CVE-2021-44228
jdf864 asked a question.
Thank you for all your quick work on this topic!
My vulnerability team - in addition to confirming that our purchased products are not vulnerable to the Dec. 2021 log4j exploit - wants to also collect each vendor's rationale for why they are not vulnerable to the exploit. Example explanations include: product X uses log4j version y.y.y, which is not vulnerable; product X includes a vulnerable version of log4j, but through configuration log4j is disabled.
Can you provide this detail for each of your non-vulnerable products? Thank you again for your time!
Jonathan,
I am happy to say that all of the Snow License Manager products are unaffected by the Log4J exploit as we do not utilize this within our application. Snow Commander is a completely different product not stemming from Snow License Manager which is why we announced the problem and resolution. This is covered in https://community.flexera.com/s/article/Vulnerability-in-Log4j-CVE-2021-45105
If you have any additional questions/concerns feel free to respond or open a support ticket with the Snow team.
Kind Regards,
Gabe Ortiz
Snow Software Inc
MWuendisch asked a question.
Best Answer
Hi all I wanted to share that there has been a new post on the New & Updates group: https://community.flexera.com/s/feed/0D5690000B5879cCQA
Also that we have put together some guidelines and insights about how Snow can help with finding potential installations affected by CVE-2021-44228. As we learn more we will be sure to update and improve the advice we've given here: https://community.flexera.com/s/article/How-Snow-can-help-with-CVE-2021-44228
Hi @Ilva Poikane​ This is the official notification: https://community.flexera.com/s/feed/0D5690000B5879cCQA which guides you to https://community.flexera.com/s/article/LOG4J-Vulnerability This states which products are affected.
MWuendisch asked a question.
Hi all I wanted to share that there has been a new post on the New & Updates group: https://community.flexera.com/s/feed/0D5690000B5879cCQA
Also that we have put together some guidelines and insights about how Snow can help with finding potential installations affected by CVE-2021-44228. As we learn more we will be sure to update and improve the advice we've given here: https://community.flexera.com/s/article/How-Snow-can-help-with-CVE-2021-44228
Uwe Wirtz asked a question.
Is there a way to find potential risks of CVE-2021-44228 (Log4Shell) in Risk Monitor?
I didn't find CVE-2021-44228 in the vulnerability explorer (yet).
BR, Uwe
I thought that this idea might be useful for future investigations perhaps. It might be helpful to have the option to use Snow to look for a suspicious file hash.
anderskarlsson asked a question.
Best Answer
Hi all I wanted to share that there has been a new post on the New & Updates group: https://community.flexera.com/s/feed/0D5690000B5879cCQA
Also that we have put together some guidelines and insights about how Snow can help with finding potential installations affected by CVE-2021-44228. As we learn more we will be sure to update and improve the advice we've given here: https://community.flexera.com/s/article/How-Snow-can-help-with-CVE-2021-44228
the EXTENSIONS_BLACKLIST and EXTENSIONS_WHITELIST are NOT related to what data is transferred between Snow Inventory Server and Snow License Manager. These settings are only controlling what kind of files you can upload as attachments to Snow License Manager.
For example, to ensure that nobody can upload a potentially harmful executable as an attachment to an agreement, "exe" is by default a part of the EXTENSIONS_BLACKLIST setting. You can also choose to do whitelisting of attachments, which is stricter. Adding "pdf" to the EXTENSIONS_WHITELIST will ONLY allow PDF documents as attachments in SLM.
