Very nice summary! Is there any reason for the specification of "log4j-core-%.jar" instead of "log4j%.jar" or was that just an example?

Because I scanned just for the jar extention and the results, after filtering on both options differ both in the quantity of files and in the number of devices on which something was found. Looking at the CVE article I think "-core" was just used as an example.

"log4j-core-%.jar" is just an example. I used 'log4j*.jar' with solution 1 and it worked and collected all log4*.jar files. 

I have a question about roll back. 

What is the roll back procedure for point 3. Set the value through agent policy settings?  

I assume the rollback step is just to remove new rows in DB table dbo.BeaconTargetPropertyValue 

@caipingcba 
Even tho not available in the WebUI you can configure "custom parameters" withing the database. This information is then published in the BeaconConfig.xml. With the configuration update the agents then retrieve this information.

In the case of the example a a registry key (windows) will be written as 

"CTrackerIncludeFile"  with the Value "log4j-core-*.jar" 

This will lead to the same result as all the other options. It just has little manual effort, since the agents update themself with the new config.

This also works for UX based agents. The information is just stored in the config file, since there is no registry.

@old_mkieselbach - the techniques described here can certainly be applied to different filename patterns. I chose log4j-core-*.jar as the example as that will match common filenames that contain the CVE-2021-44228 vulnerability. You will find many more files match the more general pattern log4j*.jar, but most of them are not going to be related to the vulnerability.

FWIW, some information about the specific JAR file impacted by the vulnerability appears on the page at https://logging.apache.org/log4j/2.x/security.html which states:

"Note that only the log4j-core JAR file is impacted by this vulnerability."

With all of that said, and to elaborate on an important comment made in this post: the vulnerability may exist in files with different names, including files that have no obvious relationship to log4j. For example, the log4j-core JAR file could easily be embedded in a file named HappyDays.war, which a simple scan of the filesystem for files named log4j-core-*.jar won't find.

@caipingcba - to rollback changes that were made to the agent policy settings using the SQL script described in this post:

1. Either delete unwanted rows from the dbo.BeaconTargetPropertyValue view, or update their values to '' (empty string). For example (picking the delete approach):
   

   DELETE FROM dbo.BeaconTargetPropertyValue
   WHERE KeyName = 'CTrackerIncludeFile'​

2. Execute the following stored procedure to notify the system that there is a change that should be propagated to agents:
   

   EXEC dbo.BeaconPolicyUpdateRevision​

@ChrisG  I followed step 3 and the only changes I made in the query was the target name (created target name under discovery and inventory rules and selected the servers) when executed our DB showed successful results as 3 rows were affected. I waited for the full reconciliation and one day for the agents to collect the new inventory  and then ran the query you mentioned under this topic "Reporting on gathered details"

when I executed that query it did not provide any output. please help me to understand what I'm doing wrong.

I want to scan all my servers to find the files and path anything in this name  'log4j-core-%.jar'

also when I exected this command in the compliance DB

selects FROM dbo.BeaconTargetPropertyValue
WHERE KeyName = 'CTrackerIncludeFile'​

it showed 3 results as I created 3 targets each for Windows, Linux & Unix.

@raghuvaran_ram - there are a lot of moving parts between the start and end of the process you've described here, so it is hard to guess what may have been missed. Here are some ideas of places to look to see if you can spot where things may have broken down.

Select a problematic client computer for troubleshooting. A good starting point on that computer is then to check the ndtrack component's log file to ensure it shows file details being gathered as part of inventory.  This file is at C:\Windows\Temp\ManageSoft\tracker.log on Windows, or /var/opt/managesoft/log/tracker.log UNIX-like operating systems.

Key messages to look for in the log file are:

1. Log message identifying which directories the agent is configured to gather file details from:

   [15/12/2021 2:37:31 PM (G, 0)] {19208} File tracking looking for files in directories 'C:\'​

2. Log message identifying file names the agent is to configured to gather details about:

   [15/12/2021 2:37:31 PM (G, 0)] {19208} File tracking looking for files with names 'log4j-core-*.jar'​

3. Log messages showing the generated inventory NDI file being successfully uploaded:
   

   [15/12/2021 2:38:42 (G, 0)] {19208} Uploading file 'system on ws101 at 20211215T143720 (Full).ndi.gz' to 'https://beacon.acme.corp/ManageSoftRL/Inventories'
   [15/12/2021 2:38:42 (G, 0)] {19208} File 'system on ws101 at 20211215T143720 (Full).ndi.gz' removed from upload directory​

If you don't find all of these messages in the file it suggests that the agent's preference settings were not set appropriately to gather the data you're looking for at the time inventory was last gathered. For example, maybe policy has not been applied since the settings were updated on the server, or maybe the policy settings to enable gathering of file details were not configured as you expected.

Some other files to check on the client computer are:

• Look in the ndlaunch agent log to check a policy update operation has been successfully completed. This will normally happen once a day. This log file is at C:\Windows\Temp\ManageSoft\installation.log on Windows, or /var/opt/managesoft/log/installation.log UNIX-like operating systems. The log file will contain a URL of showing the "client settings" package that has been applied as part of policy - you could use this URL in a browser to download a copy of that package .ndc file yourself and check that it contains the IncludeFile setting you have configured.
  
  
• A copy of the most recently generated NDI inventory file will be stored under C:\ProgramData\ManageSoft Corp\ManageSoft\Tracker\Inventories  on Windows or /var/opt/managesoft/tracker/inventories on UNIX-like operating systems. Search in there for "<Content>" elements like described in this post to see if file details have been included.

Note that the approach described in this article does not depend on the reconciliation process having run. Data will be returned by the final "SELECT" SQL query executed against the inventory database as soon as inventory NDI files are uploaded and imported into the inventory database.

Thanks for shring the details @ChrisG, We are using FNMS Cloud not on premises so is it still a concern because we are capturing invnetory through Inventory agent? 

@chirag_sharma2 - while it would be possible to configure the IncludeFile inventory agent preference on your client computers so they include the corresponding file details in inventory, there is no way for Flexera One ITAM (previously known as FlexNet Manager Suite Cloud) to make use of that data in a way that you would be able to access. So unfortunately the approach described here won't be helpful for you.

Update on step 4, if you decide to go with the step 4, this is valid till next inventory generation by the agent.

Basically what's happening is:

Let's say at 14:00 you generate the inventory and include all jar files, the .ndi is uploaded, and every thing is fine.

At 16:00 the agent is generating normal inventory, and the data get uploaded, without .jar files, the original data with .jar files get overwritten and the data are gone, so you need to take into consideration the time when the inventory is generated and when they are uploaded.  

@ChrisG  thanks for your response earlier today.

I have followed all the steps you shared and did not find any evidence which means the changes I made in the DB doesn't reach the beacon at all.

In my previous target, I had multiple devices so I have created a new target with one VM and tried executing step 3 but still no luck.

in the affected machine when I manually created a registry entry under tracking >Current version as included file the agent collects the .jar files and I'm able to vire the details in DB, I want to have this validated in 1000+ servers so I cannot do it manually and wanted to do it from the DB as per your suggestion. 

After running step 3 how do I confirm that the targets I set reach the beacon?  as per my understanding from the beacon, this is been sent to agents when they check for the updated policy next time, in this case I doubt the changes we make and force in the DB is not reaching the beacons. Please advise on what is the next step I need to follow.

@raghuvaran_ram - I think the target and associated policy settings can be seen on the beacon once they have arrived there in the file C:\ProgramData\Flexera Software\Beacon\BeaconPolicy.xml. I expect you'll find a policy "revision" number somewhere within the file. That can be compared against the latest revision number as shown in the dbo.BeaconPolicy view in the compliance database to check if there is any discrepancy:

SELECT RevisionNumber, LastChangedOn FROM dbo.BeaconPolicy

Look in the C:\ProgramData\Flexera Software\Compliance\Logging\BeaconEngine\BeaconEngine.log file on the beacon for logging related to updating the policy information cached on the beacon.

If you want to create a WebUI report, you can create something like this:

Use FNMSCompliance -- use the FNMP Compliance database name
GO

IF OBJECT_ID ('dbo.ar_Log4j_Report', 'P') IS NOT NULL
DROP PROCEDURE dbo.ar_Log4j_Report -- drop Stored Procedure if it exists
GO
CREATE PROCEDURE dbo.ar_Log4j_Report AS

SELECT ComputerName = c.ComputerCN
, FileName = sfn.Name, sp.Path, sf.Size, Timestamp = sf.DateTime
, InventoryDate = ir.SWDate
FROM fnmsinventory.dbo.SoftwareFileName sfn
JOIN fnmsinventory.dbo.SoftwareFile sf ON sf.SoftwareFileNameID = sfn.SoftwareFileNameID
JOIN fnmsinventory.dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
JOIN fnmsinventory.dbo.Computer c ON c.ComputerID = sf.ComputerID
JOIN fnmsinventory.dbo.InventoryReport ir ON ir.ComputerID = sf.ComputerID
WHERE sfn.Name LIKE '%.jar'

GO

DECLARE @ViewName nvarchar(64), @tenant int
SET @ViewName = 'Log4j report' -- Unique Name you want to display for object
SET @tenant = 1 -- Tenant for which this view applies

EXEC ComplianceCustomViewRegister
@TenantID = 1,
@ComplianceSavedSearchSystemID = NULL,
@SearchName = @ViewName,
@SearchNameResourceName = NULL,
@Description = 'This view shows all *.jar files found into environment ',
@DescriptionResourceName = NULL,
@SearchGridLayout = NULL,
@SearchXML = NULL,
@SearchSQL = 'EXEC dbo.ar_Log4j_Report',
@SearchSQLConnection = 'Live',
@SearchMapping = NULL,
@ComplianceSearchType = 'Custom',
@ComplianceSearchFolderSystemID = -17,
@CanDelete = 1,
@CanChangeMasterObject = 0

Awesome - thanks for putting that together and sharing @adrian_ritz1. What a champion!

@ChrisG  all these BeaconPolicy.xml & BeaconEngine.log & the DB shows the same version of the policy, but even when I clearly targeted one beacon by deleting the files in the registry managesoft>download settings> leaving bootstrap server 1, it downloads all the details of all the beacons but not updating the tracking >Current version with the entry file includes.

I'm spending more time in sorting this out, please can you assist

@raghuvaran_ram do you see of the desired IncludeFile preference value appearing in the BeaconPolicy.xml file? If the value doesn't appear there it suggests the changes in the compliance database to configure this value haven't worked. If the value does appear there then it suggests when the agent downloads its policy the IP address or hostname details the agent provides in the policy down URL may not be getting matched up to the configuration specified in the target.

@ChrisG  I can see the IncludeFile mentioned in all our beacons "beaconpolicy.xml file, so the agent should reach any one of the beacons to download the policy, I also validated the log files in the agent VM by manually triggering the command mgspolicy and the log shows the latest timestamp and exited successfully. However, the IncludeFile entry is not created in the registry

@raghuvaran_ram - so that sounds like the beacon may be failing to associate the client computer with the target configuration details that you have set up. Some troubleshooting steps to check that would be to look in the installation.log file on the client computer and consider the following points.

Look in the .log file to find the URL that the agent is using to download its policy (.npl) file. Relevant logging showing the URL will look something like:

[Fri 23 Jul 2021 12:36:29 PM PDT (N, 0)] {3616} Downloading "https://beacon.acme.corp/ManageSoftDL/Policies/Merged/acme.corp_domain/Machine/ws101.npl?machinename=ws101&ipaddress=10.16.202.145" to "/var/tmp/NDL965608012.npl"

The values specified for the "machinename" and "ipaddress" parameters in this URL are what the beacon will use to try to match the device to the target you have configured. If they don't match the target configuration, settings configured for the target won't be applied on the client computer.

Also look in the log for the URL that the agent is using to download the "Device Configuration.osd" package. Relevant logging will look similar to:

[Fri 23 Jul 2021 12:36:36 PM PDT (N, 0)] {3616} Downloading "https://beacon.acme.corp/ManageSoftDL/ClientConfiguration/Device Configuration 59D7EE562EF059341FA252AC88547EEC/Device Configuration.osd" to "/var/tmp/NDL546291850.osd"

Take the URL you find there, change the ".osd" at the end to ".ndc", and use your browser to download that file. If it is all matching up, you should see the IncludeFile preference value appearing within the downloaded .ndc file.

@ChrisG 

1. The target IP in the .npl matches with the target I set in the UI

2. I have validated the beacon URL displayed in the .npl. beacon policy is showing the updated version and the IncludeFile parameters.

3. when manually downloaded the .ndc file I do not see the IncludeFile parameters

I have already raised a case for this #02521354, I would be of great help if you ask someone from support to fix this over a call. 

Hi, after appyling the log4j file scan some agents seem to stuck: 

{6524} Scanning directory 'C:\' for files

...Then not proceeding at all, next scehduled scan results in the same outcome and the .ndi files are not generated.

I also applied "ExcludeExtension" registry setting to prevent "exe" file scanning afterwards.

However, on another setup the scanning works fine.

It's weekend so it's hard to reach server admins so I cannot estimate why this is happening? Perhaps a security/anti-virus agent blocking the scans? There have not been any notifications of high CPU or disk usage though from monitoring.

For log4j search folders cannot feasibly be narrowed down as they could be practically anywhere.

BR, Antti

@anttimustonen - not seeing any further logging appearing after that "Scanning directory 'C:\' for files" message sounds like the scanning process (ndtrack.exe) has terminated for some reason. That would be unusual and unexpected, but not impossible. Check in the Application event log for any indication of an error recorded there around or shortly after the timestamps appearing in the logging.

If the ndtrack.exe process is crashing, you will likely need some assistance from Flexera Support to troubleshoot and investigate why that is happening.

Hi, @ChrisG I just managed to get access to one server and checked the Application log. ndtrack.exe version 20.0.0.1 and mgscmn.dll version 20.0.0.1 reported application error at start of the scan. Policy download & installation process was not affected however and rolling back/disabling the scan settings was successful.

EDIT: found this, probably is related:

Solved: Re: NDI file not updating - Community (flexera.com)

EDIT2: DLL and NDTRACK.exe seem to match to 2019 R2 version. So there is no disparency.

Will make a ticket, thanks!

BR, Antti

Hi, I apparently found the reason for the mgscmn.dll crash.

"IncludeFile" registry key in 2019 R2 agent registry cannot include double wildcard: *log4j*
In 2021 R1 agent this works, but 2019 R2 agent causes mgscmn.dll/ndtrack.exe to fail.

BR, Antti

Hello,

Performing some testing related to log4J... but also the recognition of products like JBOSS or TIBCO products that have .jar files, I realized the FileEvidences.xml reader in C:\ProgramData\Flexera Software\Compliance\ImportProcedures\Inventory\Reader\ManageSoft has a hard coded filtering on imported file extensions, that does not include JAR files.

To avoid the high volume of additional file evidences, you may use the IncludeFile parameter that Chris shared... then, to have the inventoried JAR files imported into the ImportedFileEvidences and FileEvidence tables, you need to create a custom inventory reader step, that will extend the Windows files collected from the Inventory Manager tables to ".jar" files.

There are 3 instances where this happens (For FNMS 2021R1: step 145, 181 and 220).

You need to create a FileEvidence.xml in C:\ProgramData\Flexera Software\Compliance\ImportProcedures\CustomInventory\Reader\ManageSoft that will contain only the 3 modified sections (please comment your modifications to help the consultant in charge of the next FNMS upgrade). Don't forget to place the reader.config file.

As you can see in screenshot below, the jar file evidences will appear in the evidence tab of your devices... and you will be able to use them for recognition.

For instance:

...
WHERE RIGHT(RTRIM(sfn.Name), 4) IN ('.exe', '.sys', 'sys2', 'wtag', 'ptag', '.lax', 'dtag', '.sig')

to

...
WHERE RIGHT(RTRIM(sfn.Name), 4) IN ('.exe', '.sys', 'sys2', 'wtag', 'ptag', '.lax', 'dtag', '.sig', '.jar').

@adrian_ritz1  thanks for the query, Can you also please help to include the affected version as a separate column.

@ChrisA  Many of the file evidence shows only "log4j.jar"  what version should that be considered

@raghuvaran_ram - I'm not familiar with all the different file names that log4j uses, but information about the specific JAR file impacted by the CVE-2021-44228 vulnerability appears on the page at https://logging.apache.org/log4j/2.x/security.html which may be helpful to you. This page states:

"Note that only the log4j-core JAR file is impacted by this vulnerability."

And just to be clear (I know I'm repeating myself, but I don't think this can be said enough! 😀😞 while finding files of particular names may be one useful tactic for identifying potential exposure to CVE-2021-44228, it by no means a foolproof method for finding all potential exposures.

@ChrisG  thanks for your quick response, what is your thought on the file evidence with only this naming conversion "log4j-core"  without any specific versions mentioned in the file name should this be considered as the base version.

@raghuvaran_ram - I'm not sure what a "log4j-core" file that doesn't include a version number in the filename might correspond to. You might consider contacting the developer/publisher of the software that includes the file that you've found to see if they can provide any insight.

Hi,

If we choose includefileevidence for a specific path in the inventory settings will it not scan any other folder in that server and generate a report with evidences found only in the specified path? Which eventually lead to unlink the Applications which were part of that inventory device previously? If yes, is there a way to target a specific path along with the complete server scan thinking that folder is not being scanned as expected?

Regards,

Srikanth Mallampati 

@gsc_mysam_sggl - when you configure paths to be scanned, only directories under those paths will be scanned. The agent won't scan for files in directories that you don't specify. You can specify specific (deep) or general (shallow) paths to be scanned, depending on your need - so if you have a specific path you want to ensure is scanned, simply add it to the list of paths.

@ChrisG , thanks for the clarification. May I know how does Flexera pick the evidence from the specific path mentioned in includefileevidence section of Inventory settings when the scan complete system doesnt pick the evidence from that path? The second option in the includefileevidence module is to collect file evidence from all folders right, in that case it should collect evidence from the specified path too right? I have seen scenarios when the third option ,collect file evidence from specified folder is selected and provided with a specific path, it has collected some evidence which we did not get when opted for second option. How is this possible? And also, is there a possibility to target only few devices instead of the entire farm which is reporting over FNMS Agent? Where can we change the setting to enable the agent to scan for more extension than the existing scan for some extensions? last and final question is, if we need to change the configuration of FNMS Agent on all the servers how can we modify it?

Thanks in Advance,

Srikanth Mallampati

Do we have the hotfix for Log4j vulnerability for FNMS/FNMEA?

@flexeranoob - check out the following page for the current status of Log4j vulnerability potential exposures, along with links to articles that discuss fixes and mitigation strategies where appropriate: Flexera’s response to Apache Log4j vulnerabilities CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44228.

Hello,

I want to customize this in order to detect log4j and spring for the same OS. Is it possible to do that ?

EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
    @KeyName = 'CTrackerIncludeFile',
    @BeaconTargetID = @btid,
    @Value = 'log4j-core-*.jar'

 Thanks you for help.

Yasmina

@ymhadjou - apologies for the delay, I had missed this question earlier.

You can specify a comma-separated set of filename patterns in the CTrackerIncludeFile preference. For example:

EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
    @KeyName = 'CTrackerIncludeFile',
    @BeaconTargetID = @btid,
    @Value = 'log4j-core-*.jar,another-file-of-interest.jar'