All of us who work in the world of IT have been madly scrambling this week to assess where we stand in relation to the recently disclosed CVE-2021-44228 vulnerability in Apache Log4j 2 (widely referred to as Log4Shell). One key question everybody is asking is: how can we detect and identify systems that are potentially vulnerable?
There are many tactics being followed to help answer this question. I’d like to share some suggestions for one tactic that organizations who are using FlexNet Manager Suite On Premises with inventory gathered by the FlexNet inventory agent might consider. This involves:
- Configuring agents to gather details of files with specific names that are of interest.
- Extracting/reporting on gathered details.
I hope these suggestions are useful. What tactics are you using to identify where you might be exposed to Log4Shell? Post ideas in the comments below.
Configuring agents to gather details of files with a specified name
The FlexNet inventory agent’s IncludeFile preference can be configured to specify names of files whose details should be included when gathering inventory. For example, setting this preference to the value log4j-core-*.jar will include details of files found on the filesystem that match the specified pattern.
Some possible approaches to configure the value of the IncludeFile preference are:
- Arrange to set the value in the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ManageSoft Corp\ManageSoft\Tracker\CurrentVersion\IncludeFile registry entry on each computer running a Windows operating system.
- Arrange to set the value in the /var/opt/managesoft/etc/mgsconfig.ini configuration file on each computer running a UNIX-like operating system. For example, the following shell commands will do this:
cat >/tmp/tempconfig.ini <<EOF [ManageSoft\Tracker\CurrentVersion] IncludeFile=log4j-core-*.jar EOF /opt/managesoft/bin/mgsconfig -i /tmp/tempconfig.ini rm /tmp/tempconfig.ini
- Set the value through agent policy settings. There is no UI to configure this directly, but it can be done with direct manipulation of some details in the compliance database with a SQL script like the following:
-- The value of @TargetName should be set to one 'Target__windows', -- 'Target__osx' or 'Target__unix' to set policy settings for computers -- running the identified type of operating system. -- -- To target multiple types of operating systems, change the value and -- re-run this script multiple times. DECLARE @TargetName NVARCHAR(100) SET @TargetName = 'Target__windows' -- or 'Target__osx' or 'Target__unix' -- Ensure the built-in target exists EXEC dbo.BeaconTargetPutByNameInternal @Name = @TargetName, @Internal = 1, @Description = NULL, @Visible = 0 -- Get the ID of the target to have settings applied DECLARE @btid INT SELECT @btid = BeaconTargetID FROM dbo.BeaconTarget WHERE Name = @TargetName -- Add setting to agent policy for computers covered by the above target EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID @KeyName = 'CTrackerIncludeFile', @BeaconTargetID = @btid, @Value = 'log4j-core-*.jar' -- Force beacons to update to get latest settings containing the above changes EXEC dbo.BeaconPolicyUpdateRevision
- If the ndtrack inventory gathering process is invoked directly, specify a value for the preference on the command line. For example:
ndtrack -t Machine -o IncludeFile=log4j-core-*.jar
Agent settings to scan for file details must be enabled for the IncludeFile preference to be effective. These settings are commonly configured through the Included file evidence configuration settings on the Discovery & Inventory > Settings page in the FlexNet Manager Suite web UI.
Once agent preferences are configured appropriately, details of files will appear in inventory .ndi files similarly to the following:
<Content MD5="NO_MD5" Size="5427604"> <Instance Path="C:\Path\log4j-core-2.16.0.jar" DateTime="20211212T233542"/> </Content>
Reporting on gathered details
Once inventory gathered by agents has been uploaded and imported, appropriately crafted SQL queries can be run against the inventory database to extract and report on details.
For example, the following query will retrieve a list of computer names along with details of files that have been found on them:
SELECT ComputerName = c.ComputerCN , FileName = sfn.Name, sp.Path, sf.Size, Timestamp = sf.DateTime , InventoryDate = ir.SWDate FROM dbo.SoftwareFileName sfn JOIN dbo.SoftwareFile sf ON sf.SoftwareFileNameID = sfn.SoftwareFileNameID JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID JOIN dbo.Computer c ON c.ComputerID = sf.ComputerID JOIN dbo.InventoryReport ir ON ir.ComputerID = sf.ComputerID WHERE sfn.Name LIKE 'log4j-core-%.jar'
Limitations of relying on file details for security assessments
While knowing which computers files are found on can be useful to gain insight into possible exposure to a vulnerability like Log4Shell, it is far from bulletproof:
- Having a file with a particular name installed does not guarantee that a system is exposed or vulnerable.
- Conversely, failing to find a file with a particular name installed does not guarantee that a system is not exposed or vulnerable.
A tactic of looking for files with particular names like this should be just one of many tactics that an organization uses.
Ideas for possible additional extensions to the above approach which you might consider are:
- Import additional file details as file evidence into Flexnet Manager Suite
By default, FlexNet Manager Suite’s inventory import procedures only import details of files that end with one of the following extensions: .sys, sys2, wtag, dtag, ptag, .sig, .exe, and .lax
Advanced FlexNet Manager Suite administrators could explore modifying the inventory import procedures to import details of files with additional extensions of interest.
- Reporting interface
Rather than extracting data from the inventory database with a direct query, consider using reporting tools that can provide this data through an appropriate user interface.
If you’re interested in this topic, here are some other links that may be useful:
- Log4j vulnerability - info on how to scan and question about how to determine version on results (FlexNet Manager forum discussion)
- Identifying Apache Log4j JNDI Vulnerability “Log4Shell” (CVE-2021-44228, CVE-2021-4104) (another FlexNet Manager blog post)
Thanks to the following Flexera Community users for sharing questions, ideas and discussion that have helped to inspire this post: @Frank07, @bmaudlin, @adrian_ritz1, @dennis_reinhardt, @akuntze, @WStephans, @caipingcba, @raghuvaran_ram, @Resnofendri
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.