Recently, a vulnerability within Apache Log4j caught widespread public attention and has security, operational and development teams alike scrambling for analyzing the impact within their own ecosystem and to apply mitigations if necessary. The wide use of Log4j and the ease of the exploitation of the vulnerability makes this vulnerability very suitable for quick and effective use within exploitation campaigns. Shortly after publication of the vulnerability Proof of Concepts (PoCs) and reports of exploitation began to arrive. For more details on this vulnerability and how it works, please see “Vulnerability Details” at the end of this article.

This article is intended to help explain how Flexera security products can help you identify and remediate this vulnerability. For the status of impacted Flexera products, please see this announcement.

Various teams across different Flexera solutions have been working overtime to ensure that our customers get immediate visibility on the impact of this and other vulnerabilities.

Software Vulnerability Research (SVR)

Alerts will be generated based on configured watch lists and configured notification settings.

SVR customers can expect to see:

• Up-to-date Secunia Advisories (SA105630, SA105605, SA105601) and further third-party product-related Secunia Advisories which contain detailed information on the vulnerability and its variants, including the solutions/patches and available CPEs
• CVEs associated with the vulnerability and its variants as published by a trusted source (for example, the vendor Apache or MITRE)
• Threat intelligence information associated with the vulnerability and its variants (if entitled to our Threat Intel module)

Software Vulnerability Manager (SVM)

Vulnerable products can be detected via file signatures which provide a definitive, actionable status. Where available, security updates may be published to remediate vulnerable instances detected in your environment.

SVM customers can expect to see:

• Impacted software product versions being detected in their inventory
• NEW SVM's Single Host Agent (v7.6.0.19) can now detect the log4j-core*.jar files installed on a host machine. See details here.
• We are and will continue, actively working to obtain more vulnerable product versions in order to create file signatures. If you are aware of a software version that is impacted but not yet detected, please submit it via the normal software suggestion process to help us to get the details necessary to create a file signature.
• CVE associated with the vulnerability and its variants as published by a trusted source (for example, the vendor Apache or MITRE)
• Threat intelligence information associated with the vulnerability and its variants (if entitled to our Threat Intel module)
• Patches you can publish to remediate this vulnerability and its variants for covered products as they are released by their respective vendors.

This vulnerability will be the cause of many software vulnerability disclosures, but each application including and exposing it will typically issue its own disclosure. Our Secunia Research team will continually monitor for such and will create a file signature for SVM to detect and assess specific versions as vulnerable as appropriate. 

AdminStudio

AdminStudio recently added a new Windows Risk Assessment test rule to detect the presence of log4j files in your deployment packages. See details here.

AdminStudio customers can expect to see:

• NEW A warning when log4j jar file is found in a package
• In cases where the data to assess the presence of Log4j is not possible, a message will be shown. 

Data Platform (with Technopedia)

Affected products may be detected in your inventory to provide a directional assessment. This can help you determine where to look closer, but a definitive vulnerability status may not be possible due to a lack of version granularity depending upon the application in question.

Data Platform customers can expect to see:

• All impacted Apache log4j products and/or releases are captured in Technopedia
• Any existing discovered data (a.k.a. evidence) that maps to the impacted products and/or releases are recognized. Note that any new evidence that customers bring in their inventory may still need to go through the gap-fill process.
• If the entitlement to InfoSec Content Pack is active:
• impacted products will be identified with any CPE’s associated with the impacted products and/or releases are linked
• up-to-date Secunia Advisory information linked to the available CPE’s is provided 
• CVE references associated with the vulnerability and its variants. The publication is dependent upon review/approval by the National Vulnerability Database (NVD).
• threat intelligence associated with the advisories (as provided by Flexera’s Secunia Research)

Flexera One IT Visibility

IT Visibility customers can expect to see any detected installations of impacted Apache log4j products and/or releases in their inventory, providing the evidence already exists in our recognition library (note that any net new evidence may still need to go through the gap-fill process). Similar to Data Platform (as both solutions are powered by Technopedia), the detection of the impacted products in your inventory will provide a directional assessment as the version granularity may not correspond directly to the vulnerability and its variants.

The capability to show the vulnerability information, however, is not currently available in IT Visibility. This is something that we’re actively working on to make available in the first half of 2022.

FlexNet Manager Suite (FNMS) and Flexera One IT Asset Management

Similar to IT Visibility, FNMS and ITAM customers can also expect to see Apache log4j applications which are potentially impacted by this attack. Given the fact that applications granularity in the ARL library is captured only at the major.minor version, further investigation may be needed to identify the subset of installations in their inventory with the exact build and/or patch levels. 

-

For details on the Log4j vulnerability please see Apache Log4j "Log4Shell" and Beyond