Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite

ChrisG
Community Manager Community Manager
Community Manager
18 37 9,575

All of us who work in the world of IT have been madly scrambling this week to assess where we stand in relation to the recently disclosed CVE-2021-44228 vulnerability in Apache Log4j 2 (widely referred to as Log4Shell). One key question everybody is asking is: how can we detect and identify systems that are potentially vulnerable?

There are many tactics being followed to help answer this question. I’d like to share some suggestions for one tactic that organizations who are using FlexNet Manager Suite On Premises with inventory gathered by the FlexNet inventory agent might consider. This involves:

  1. Configuring agents to gather details of files with specific names that are of interest.
  2. Extracting/reporting on gathered details.

I hope these suggestions are useful. What tactics are you using to identify where you might be exposed to Log4Shell? Post ideas in the comments below.

Configuring agents to gather details of files with a specified name

The FlexNet inventory agent’s IncludeFile preference can be configured to specify names of files whose details should be included when gathering inventory. For example, setting this preference to the value log4j-core-*.jar will include details of files found on the filesystem that match the specified pattern.

Some possible approaches to configure the value of the IncludeFile preference are:

  1. Arrange to set the value in the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ManageSoft Corp\ManageSoft\Tracker\CurrentVersion\IncludeFile registry entry on each computer running a Windows operating system.

  2. Arrange to set the value in the /var/opt/managesoft/etc/mgsconfig.ini configuration file on each computer running a UNIX-like operating system. For example, the following shell commands will do this:
    cat >/tmp/tempconfig.ini <<EOF
    [ManageSoft\Tracker\CurrentVersion]
    IncludeFile=log4j-core-*.jar
    EOF
    
    /opt/managesoft/bin/mgsconfig -i /tmp/tempconfig.ini
    
    rm /tmp/tempconfig.ini​
  3. Set the value through agent policy settings. There is no UI to configure this directly, but it can be done with direct manipulation of some details in the compliance database with a SQL script like the following:
    -- The value of @TargetName should be set to one 'Target__windows',
    -- 'Target__osx' or 'Target__unix' to set policy settings for computers
    -- running the identified type of operating system.
    --
    -- To target multiple types of operating systems, change the value and
    -- re-run this script multiple times.
    
    DECLARE @TargetName NVARCHAR(100)
    SET @TargetName = 'Target__windows' -- or 'Target__osx' or 'Target__unix'
    
    -- Ensure the built-in target exists
    EXEC dbo.BeaconTargetPutByNameInternal
        @Name = @TargetName,
        @Internal = 1,
        @Description = NULL,
        @Visible = 0
    
    -- Get the ID of the target to have settings applied
    DECLARE @btid INT
    
    SELECT @btid = BeaconTargetID
    FROM dbo.BeaconTarget
    WHERE Name = @TargetName
    
    -- Add setting to agent policy for computers covered by the above target
    EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
        @KeyName = 'CTrackerIncludeFile',
        @BeaconTargetID = @btid,
        @Value = 'log4j-core-*.jar'
    
    -- Force beacons to update to get latest settings containing the above changes
    EXEC dbo.BeaconPolicyUpdateRevision​
  4. If the ndtrack inventory gathering process is invoked directly, specify a value for the preference on the command line. For example:
    ndtrack -t Machine -o IncludeFile=log4j-core-*.jar​

Agent settings to scan for file details must be enabled for the IncludeFile preference to be effective. These settings are commonly configured through the Included file evidence configuration settings on the Discovery & Inventory > Settings page in the FlexNet Manager Suite web UI.

Once agent preferences are configured appropriately, details of files will appear in inventory .ndi files similarly to the following:

 

<Content MD5="NO_MD5" Size="5427604">
     <Instance Path="C:\Path\log4j-core-2.16.0.jar" DateTime="20211212T233542"/>
</Content>

 

Reporting on gathered details

Once inventory gathered by agents has been uploaded and imported, appropriately crafted SQL queries can be run against the inventory database to extract and report on details.

For example, the following query will retrieve a list of computer names along with details of files that have been found on them:

SELECT ComputerName = c.ComputerCN
    , FileName = sfn.Name, sp.Path, sf.Size, Timestamp = sf.DateTime
    , InventoryDate = ir.SWDate
FROM dbo.SoftwareFileName sfn
    JOIN dbo.SoftwareFile sf ON sf.SoftwareFileNameID = sfn.SoftwareFileNameID
    JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
    JOIN dbo.Computer c ON c.ComputerID = sf.ComputerID
    JOIN dbo.InventoryReport ir ON ir.ComputerID = sf.ComputerID
WHERE sfn.Name LIKE 'log4j-core-%.jar'

Limitations of relying on file details for security assessments

While knowing which computers files are found on can be useful to gain insight into possible exposure to a vulnerability like Log4Shell, it is far from bulletproof:

  • Having a file with a particular name installed does not guarantee that a system is exposed or vulnerable.
  • Conversely, failing to find a file with a particular name installed does not guarantee that a system is not exposed or vulnerable.

A tactic of looking for files with particular names like this should be just one of many tactics that an organization uses.

Possible extensions

Ideas for possible additional extensions to the above approach which you might consider are:

  • Import additional file details as file evidence into Flexnet Manager Suite

    By default, FlexNet Manager Suite’s inventory import procedures only import details of files that end with one of the following extensions: .sys, sys2, wtag, dtag, ptag, .sig, .exe, and .lax

    Advanced FlexNet Manager Suite administrators could explore modifying the inventory import procedures to import details of files with additional extensions of interest.
  • Reporting interface

    Rather than extracting data from the inventory database with a direct query, consider using reporting tools that can provide this data through an appropriate user interface.

Other links

If you’re interested in this topic, here are some other links that may be useful:

Acknowledgements

Thanks to the following Flexera Community users for sharing questions, ideas and discussion that have helped to inspire this post: @Frank07@bmaudlin@adrian_ritz1@dennis_reinhardt@akuntze@WStephans@caipingcba@raghuvaran_ram@Resnofendri 

 

37 Comments
Melbourne, Australia