All of us who work in the world of IT have been madly scrambling this week to assess where we stand in relation to the recently disclosed CVE-2021-44228 vulnerability in Apache Log4j 2 (widely referred to as Log4Shell). One key question everybody is asking is: how can we detect and identify systems that are potentially vulnerable?

There are many tactics being followed to help answer this question. I’d like to share some suggestions for one tactic that organizations who are using FlexNet Manager Suite On Premises with inventory gathered by the FlexNet inventory agent might consider. This involves:

1. Configuring agents to gather details of files with specific names that are of interest.
2. Extracting/reporting on gathered details.

I hope these suggestions are useful. What tactics are you using to identify where you might be exposed to Log4Shell? Post ideas in the comments below.

Configuring agents to gather details of files with a specified name

The FlexNet inventory agent’s IncludeFile preference can be configured to specify names of files whose details should be included when gathering inventory. For example, setting this preference to the value log4j-core-*.jar will include details of files found on the filesystem that match the specified pattern.

Some possible approaches to configure the value of the IncludeFile preference are:

1. Arrange to set the value in the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ManageSoft Corp\ManageSoft\Tracker\CurrentVersion\IncludeFile registry entry on each computer running a Windows operating system.
   
   
2. Arrange to set the value in the /var/opt/managesoft/etc/mgsconfig.ini configuration file on each computer running a UNIX-like operating system. For example, the following shell commands will do this:
   

   cat >/tmp/tempconfig.ini <<EOF
   [ManageSoft\Tracker\CurrentVersion]
   IncludeFile=log4j-core-*.jar
   EOF
   
   /opt/managesoft/bin/mgsconfig -i /tmp/tempconfig.ini
   
   rm /tmp/tempconfig.ini​

3. Set the value through agent policy settings. There is no UI to configure this directly, but it can be done with direct manipulation of some details in the compliance database with a SQL script like the following:
   

   -- The value of @TargetName should be set to one 'Target__windows',
   -- 'Target__osx' or 'Target__unix' to set policy settings for computers
   -- running the identified type of operating system.
   --
   -- To target multiple types of operating systems, change the value and
   -- re-run this script multiple times.
   
   DECLARE @TargetName NVARCHAR(100)
   SET @TargetName = 'Target__windows' -- or 'Target__osx' or 'Target__unix'
   
   -- Ensure the built-in target exists
   EXEC dbo.BeaconTargetPutByNameInternal
       @Name = @TargetName,
       @Internal = 1,
       @Description = NULL,
       @Visible = 0
   
   -- Get the ID of the target to have settings applied
   DECLARE @btid INT
   
   SELECT @btid = BeaconTargetID
   FROM dbo.BeaconTarget
   WHERE Name = @TargetName
   
   -- Add setting to agent policy for computers covered by the above target
   EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
       @KeyName = 'CTrackerIncludeFile',
       @BeaconTargetID = @btid,
       @Value = 'log4j-core-*.jar'
   
   -- Force beacons to update to get latest settings containing the above changes
   EXEC dbo.BeaconPolicyUpdateRevision​

4. If the ndtrack inventory gathering process is invoked directly, specify a value for the preference on the command line. For example:
   

   ndtrack -t Machine -o IncludeFile=log4j-core-*.jar​

Agent settings to scan for file details must be enabled for the IncludeFile preference to be effective. These settings are commonly configured through the Included file evidence configuration settings on the Discovery & Inventory > Settings page in the FlexNet Manager Suite web UI.

Once agent preferences are configured appropriately, details of files will appear in inventory .ndi files similarly to the following:

<Content MD5="NO_MD5" Size="5427604">
     <Instance Path="C:\Path\log4j-core-2.16.0.jar" DateTime="20211212T233542"/>
</Content>

Reporting on gathered details

Once inventory gathered by agents has been uploaded and imported, appropriately crafted SQL queries can be run against the inventory database to extract and report on details.

For example, the following query will retrieve a list of computer names along with details of files that have been found on them:

SELECT ComputerName = c.ComputerCN
    , FileName = sfn.Name, sp.Path, sf.Size, Timestamp = sf.DateTime
    , InventoryDate = ir.SWDate
FROM dbo.SoftwareFileName sfn
    JOIN dbo.SoftwareFile sf ON sf.SoftwareFileNameID = sfn.SoftwareFileNameID
    JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
    JOIN dbo.Computer c ON c.ComputerID = sf.ComputerID
    JOIN dbo.InventoryReport ir ON ir.ComputerID = sf.ComputerID
WHERE sfn.Name LIKE 'log4j-core-%.jar'

Limitations of relying on file details for security assessments

While knowing which computers files are found on can be useful to gain insight into possible exposure to a vulnerability like Log4Shell, it is far from bulletproof:

• Having a file with a particular name installed does not guarantee that a system is exposed or vulnerable.
• Conversely, failing to find a file with a particular name installed does not guarantee that a system is not exposed or vulnerable.

A tactic of looking for files with particular names like this should be just one of many tactics that an organization uses.

Possible extensions

Ideas for possible additional extensions to the above approach which you might consider are:

• Import additional file details as file evidence into Flexnet Manager Suite
  
  By default, FlexNet Manager Suite’s inventory import procedures only import details of files that end with one of the following extensions: .sys, sys2, wtag, dtag, ptag, .sig, .exe, and .lax
  
  Advanced FlexNet Manager Suite administrators could explore modifying the inventory import procedures to import details of files with additional extensions of interest.
• Reporting interface
  
  Rather than extracting data from the inventory database with a direct query, consider using reporting tools that can provide this data through an appropriate user interface.

Other links

If you’re interested in this topic, here are some other links that may be useful:

• Log4j vulnerability - info on how to scan and question about how to determine version on results (FlexNet Manager forum discussion)
• Identifying Apache Log4j JNDI Vulnerability “Log4Shell” (CVE-2021-44228, CVE-2021-4104) (another FlexNet Manager blog post)

Acknowledgements

Thanks to the following Flexera Community users for sharing questions, ideas and discussion that have helped to inspire this post: @Frank07, @bmaudlin, @adrian_ritz1, @dennis_reinhardt, @akuntze, @WStephans, @caipingcba, @raghuvaran_ram, @Resnofendri