This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
ShowĀ Ā onlyĀ  | Search instead forĀ 
Did you mean:Ā 

Log4j vulnerability - info on how to scan and question about how to determine version on results

Jump to solution
Frank07
By
Level 6

How Flexera can help us on finding the servers which contains the Log4j  on windows systems.

We see some in our Flexera application but not all. 

We have tried on on system where we now a log4j file is present to run:

C:\Program Files (x86)\ManageSoft\Tracker>"C:\Program Files (x86)\ManageSoft\Tracker\ndtrack.exe" -o InventoryType=Machine -o UserInteractionLevel=Quiet -o IncludeDirectory=C:\\;D:\\ 

This command was not showing all the files. It was not showing: "log4j.jar"

We added an option:

"C:\Program Files (x86)\ManageSoft\Tracker\ndtrack.exe" -o InventoryType=Machine -o UserInteractionLevel=Quiet -o IncludeDirectory=C:\\;D:\\ -o IncludeExtension=jar

This option can only be set directly on the command and not on the application interface. (Don't know if it can be set on the beacon in the policy - don't have this knowledge)

The NDI file now contains the log4j file but not information on which version.

<Content MD5="NO_MD5" Size="489884">
<Instance Path="C:\xxxxxxxx\xxxx\agent\lib\log4j.jar" DateTime="20210727T061220"/>
</Content>

 

Is the FlexNet Agent able to read on the jar file the software version ? And what parameter to be set for this ?

Regards, Frank07

 

ā€ŽDec 13, 2021 09:47 AM

(1) Solution

Jump to solution
ChrisG
By Community Manager Community Manager
Community Manager
In response to adrian_ritz1

Try the following as your query (the critical change is a correction to the join condition to SoftwareFileName):

SELECT c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path
FROM dbo.Computer c
    LEFT JOIN dbo.SoftwareFile sf ON c.ComputerID = sf.ComputerID
    LEFT JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
    LEFT JOIN dbo.SoftwareFileName sfn ON sfn.SoftwareFileNameID = sf.SoftwareFileNameID
WHERE c.ComputerCN = 'xxx'

 

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

View solution in original post

ā€ŽDec 14, 2021 05:00 AM

(11) Replies

Jump to solution
Frank07
By
Level 6

After the reconcile the jar file is not visible in the inventory evidence of the file or in unrecognised evidence šŸ˜•.  Reason ?

ā€ŽDec 13, 2021 10:11 AM

0 Kudos

Jump to solution
bmaudlin
By Level 9 Champion
Level 9 Champion
In response to Frank07

Hi @Frank07 I think either the IncludeExtension flag is not working or the system overall/agent has a problem with these type of files. I had already raised call > 02510662 in terms of .jar recognition and that IncludeExension doesn't seem to work for this file type. 

There is an idea already raised to include .jar as part of the automatic recognition from the agent here >  https://flexerasfdc.ideas.aha.io/ideas/ITAM-I-170

 

 

ā€ŽDec 13, 2021 10:37 AM

Jump to solution
adrian_ritz1
By
Level 10
In response to bmaudlin

Indeed, I checked with the following SQL command directly in the FNMSInventory database

select c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path from Computer c
left join SoftwareFile sf on c.ComputerID = sf.ComputerID
left join SoftwareDetails sd on sd.SoftwareDetailsID = sf.SoftwareFileID
left join SoftwareFilePath sp on sp.SoftwareFilePathID = sf.SoftwareFilePathID
left join SoftwareFileName sfn on sfn.SoftwareFileNameID = sf.SoftwareID
where c.ComputerCN = 'xxx'

and receive the following 

ComputerCN FileDescription Name Path
xxx  NULL C:\MidServer\MID\agent\jre\lib\

I receive only the path which is not very helpful, I will try to check all the ndi file with powershell and try to generate a report

ā€ŽDec 14, 2021 04:38 AM

Jump to solution
ChrisG
By Community Manager Community Manager
Community Manager
In response to adrian_ritz1

Try the following as your query (the critical change is a correction to the join condition to SoftwareFileName):

SELECT c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path
FROM dbo.Computer c
    LEFT JOIN dbo.SoftwareFile sf ON c.ComputerID = sf.ComputerID
    LEFT JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
    LEFT JOIN dbo.SoftwareFileName sfn ON sfn.SoftwareFileNameID = sf.SoftwareFileNameID
WHERE c.ComputerCN = 'xxx'

 

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

ā€ŽDec 14, 2021 05:00 AM

Jump to solution
adrian_ritz1
By
Level 10
In response to ChrisG

Thank you @ChrisG , this solved the issue and now is reporting correctly at least I have a list with all installation that contain log4j and I can work with them.

 

ā€ŽDec 14, 2021 05:14 AM

Jump to solution
raghuvaran_ram
By
Level 6
In response to ChrisG

@ChrisG  

Under License compliance > All applications, I do see installations for log4j 1 showing Redhat as the publisher, from the device inventory I have extracted the affected devices. but when I run the above script using one of the affected device names the output is not showing any log4j pieces of evidence, under what name I should look at the output?

Also with this query, I can only target individual machines, with the application name (possibly answer from 1st question) is there an option to search and get the path of all affected devices for one particular application covering the entire estate.

ā€ŽDec 14, 2021 06:27 AM

0 Kudos

Jump to solution
ChrisG
By Community Manager Community Manager
Community Manager
In response to raghuvaran_ram

@raghuvaran_ram - I think you're mixing up different types of data a little here.

First of all, the SQL query that @adrian_ritz1 was working on above is to report on file details. You won't see details of *.jar files appearing in your query output unless you have take steps to configure and run the ndtrack inventory agent across your computers to gather those files.

This data is quite unrelated to recognized installations of log4j applications. I expect the installations you are seeing reported in the UI have been recognized based on installer evidence, not file details. You can see what evidence has been used to recognize a particular installation on a computer by looking in the "Evidence" tab when viewing the computer's inventory device record in the UI.

With that said, most applications that may be exposed to the Log4Shell vulnerability won't have "log4j" in their name: they will be arbitrary applications from other vendors that internally include the log4j component. So while looking at installations that the ARL recognizes of applications that do have "log4j" in there name may be useful as one tactic for assessing your exposure, it is only ever going to be a minor tactic.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

ā€ŽDec 14, 2021 06:40 AM

Jump to solution
Frank07
By
Level 6
In response to bmaudlin

I supported the idea.

ā€ŽDec 14, 2021 04:43 AM

0 Kudos

Jump to solution
dennis_reinhardt
By
Level 7

Hi, Of course  libraries can be recognized by their name, but there is also a considerable amount of components that are located directly in the *.jar file etc.. these data cannot be read by the agent. That's probably the next big challenge, but that's where I don't think the Flexera Agent can help

ā€ŽDec 13, 2021 01:53 PM

Jump to solution
akuntze
By
Level 3

Maybe one comment: The Managesoft reader has a filter on file extensions implemented:

FROM dbo.SoftwareFileName AS sfn WITH (NOLOCK)
WHERE RIGHT(RTRIM(sfn.Name), 4) IN ('.exe', '.sys', 'sys2', 'wtag', 'ptag', '.lax', 'dtag', '.sig')

If you want to see the results in the FNMSCompliance database, you would need to adapt the reader, too.

 

ā€ŽDec 14, 2021 04:44 PM

Jump to solution
ChrisG
By Community Manager Community Manager
Community Manager

There's some great discussion on this thread. Thanks everybody! A number of the ideas discussed are now covered in the following post which has just gone out: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

ā€ŽDec 14, 2021 10:45 PM