All of us who work in the world of IT have been madly scrambling this week to assess where we stand in relation to the recently disclosed CVE-2021-44228 vulnerability in Apache Log4j 2 (widely referred to as Log4Shell). One key question everybody is asking is: how can we detect and identify systems that are potentially vulnerable?
There are many tactics being followed to help answer this question. I’d like to share some suggestions for one tactic that organizations who are using FlexNet Manager Suite On Premises with inventory gathered by the FlexNet inventory agent might consider. This involves:
I hope these suggestions are useful. What tactics are you using to identify where you might be exposed to Log4Shell? Post ideas in the comments below.
The FlexNet inventory agent’s IncludeFile preference can be configured to specify names of files whose details should be included when gathering inventory. For example, setting this preference to the value log4j-core-*.jar will include details of files found on the filesystem that match the specified pattern.
Some possible approaches to configure the value of the IncludeFile preference are:
cat >/tmp/tempconfig.ini <<EOF [ManageSoft\Tracker\CurrentVersion] IncludeFile=log4j-core-*.jar EOF /opt/managesoft/bin/mgsconfig -i /tmp/tempconfig.ini rm /tmp/tempconfig.ini
-- The value of @TargetName should be set to one 'Target__windows', -- 'Target__osx' or 'Target__unix' to set policy settings for computers -- running the identified type of operating system. -- -- To target multiple types of operating systems, change the value and -- re-run this script multiple times. DECLARE @TargetName NVARCHAR(100) SET @TargetName = 'Target__windows' -- or 'Target__osx' or 'Target__unix' -- Ensure the built-in target exists EXEC dbo.BeaconTargetPutByNameInternal @Name = @TargetName, @Internal = 1, @Description = NULL, @Visible = 0 -- Get the ID of the target to have settings applied DECLARE @btid INT SELECT @btid = BeaconTargetID FROM dbo.BeaconTarget WHERE Name = @TargetName -- Add setting to agent policy for computers covered by the above target EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID @KeyName = 'CTrackerIncludeFile', @BeaconTargetID = @btid, @Value = 'log4j-core-*.jar' -- Force beacons to update to get latest settings containing the above changes EXEC dbo.BeaconPolicyUpdateRevision
ndtrack -t Machine -o IncludeFile=log4j-core-*.jar
Agent settings to scan for file details must be enabled for the IncludeFile preference to be effective. These settings are commonly configured through the Included file evidence configuration settings on the Discovery & Inventory > Settings page in the FlexNet Manager Suite web UI.
Once agent preferences are configured appropriately, details of files will appear in inventory .ndi files similarly to the following:
<Content MD5="NO_MD5" Size="5427604"> <Instance Path="C:\Path\log4j-core-2.16.0.jar" DateTime="20211212T233542"/> </Content>
Once inventory gathered by agents has been uploaded and imported, appropriately crafted SQL queries can be run against the inventory database to extract and report on details.
For example, the following query will retrieve a list of computer names along with details of files that have been found on them:
SELECT ComputerName = c.ComputerCN , FileName = sfn.Name, sp.Path, sf.Size, Timestamp = sf.DateTime , InventoryDate = ir.SWDate FROM dbo.SoftwareFileName sfn JOIN dbo.SoftwareFile sf ON sf.SoftwareFileNameID = sfn.SoftwareFileNameID JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID JOIN dbo.Computer c ON c.ComputerID = sf.ComputerID JOIN dbo.InventoryReport ir ON ir.ComputerID = sf.ComputerID WHERE sfn.Name LIKE 'log4j-core-%.jar'
While knowing which computers files are found on can be useful to gain insight into possible exposure to a vulnerability like Log4Shell, it is far from bulletproof:
A tactic of looking for files with particular names like this should be just one of many tactics that an organization uses.
Ideas for possible additional extensions to the above approach which you might consider are:
If you’re interested in this topic, here are some other links that may be useful:
Thanks to the following Flexera Community users for sharing questions, ideas and discussion that have helped to inspire this post: @Frank07, @bmaudlin, @adrian_ritz1, @dennis_reinhardt, @akuntze, @WStephans, @caipingcba, @raghuvaran_ram, @Resnofendri
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.