cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Frank07
Level 6

Log4j vulnerability - info on how to scan and question about how to determine version on results

Jump to solution

How Flexera can help us on finding the servers which contains the Log4j  on windows systems.

We see some in our Flexera application but not all. 

We have tried on on system where we now a log4j file is present to run:

C:\Program Files (x86)\ManageSoft\Tracker>"C:\Program Files (x86)\ManageSoft\Tracker\ndtrack.exe" -o InventoryType=Machine -o UserInteractionLevel=Quiet -o IncludeDirectory=C:\\;D:\\ 

This command was not showing all the files. It was not showing: "log4j.jar"

We added an option:

"C:\Program Files (x86)\ManageSoft\Tracker\ndtrack.exe" -o InventoryType=Machine -o UserInteractionLevel=Quiet -o IncludeDirectory=C:\\;D:\\ -o IncludeExtension=jar

This option can only be set directly on the command and not on the application interface. (Don't know if it can be set on the beacon in the policy - don't have this knowledge)

The NDI file now contains the log4j file but not information on which version.

<Content MD5="NO_MD5" Size="489884">
<Instance Path="C:\xxxxxxxx\xxxx\agent\lib\log4j.jar" DateTime="20210727T061220"/>
</Content>

 

Is the FlexNet Agent able to read on the jar file the software version ? And what parameter to be set for this ?

Regards, Frank07

 

1 Solution

Try the following as your query (the critical change is a correction to the join condition to SoftwareFileName):

SELECT c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path
FROM dbo.Computer c
    LEFT JOIN dbo.SoftwareFile sf ON c.ComputerID = sf.ComputerID
    LEFT JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
    LEFT JOIN dbo.SoftwareFileName sfn ON sfn.SoftwareFileNameID = sf.SoftwareFileNameID
WHERE c.ComputerCN = 'xxx'

 

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

View solution in original post

This thread has been automatically locked due to inactivity.

To continue the discussion, please start a new thread.

11 Replies
Frank07
Level 6

After the reconcile the jar file is not visible in the inventory evidence of the file or in unrecognised evidence 😕.  Reason ?

0 Kudos
bmaudlin
Level 8 Champion
Level 8 Champion

Hi @Frank07 I think either the IncludeExtension flag is not working or the system overall/agent has a problem with these type of files. I had already raised call > 02510662 in terms of .jar recognition and that IncludeExension doesn't seem to work for this file type. 

There is an idea already raised to include .jar as part of the automatic recognition from the agent here >  https://flexerasfdc.ideas.aha.io/ideas/ITAM-I-170

 

 

Indeed, I checked with the following SQL command directly in the FNMSInventory database

select c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path from Computer c
left join SoftwareFile sf on c.ComputerID = sf.ComputerID
left join SoftwareDetails sd on sd.SoftwareDetailsID = sf.SoftwareFileID
left join SoftwareFilePath sp on sp.SoftwareFilePathID = sf.SoftwareFilePathID
left join SoftwareFileName sfn on sfn.SoftwareFileNameID = sf.SoftwareID
where c.ComputerCN = 'xxx'

and receive the following 

ComputerCN FileDescription Name Path
xxx  NULL C:\MidServer\MID\agent\jre\lib\

I receive only the path which is not very helpful, I will try to check all the ndi file with powershell and try to generate a report

Try the following as your query (the critical change is a correction to the join condition to SoftwareFileName):

SELECT c.ComputerCN, sf.FileDescription, sfn.Name, sp.Path
FROM dbo.Computer c
    LEFT JOIN dbo.SoftwareFile sf ON c.ComputerID = sf.ComputerID
    LEFT JOIN dbo.SoftwareFilePath sp ON sp.SoftwareFilePathID = sf.SoftwareFilePathID
    LEFT JOIN dbo.SoftwareFileName sfn ON sfn.SoftwareFileNameID = sf.SoftwareFileNameID
WHERE c.ComputerCN = 'xxx'

 

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Thank you @ChrisG , this solved the issue and now is reporting correctly at least I have a list with all installation that contain log4j and I can work with them.

 

@ChrisG  

Under License compliance > All applications, I do see installations for log4j 1 showing Redhat as the publisher, from the device inventory I have extracted the affected devices. but when I run the above script using one of the affected device names the output is not showing any log4j pieces of evidence, under what name I should look at the output?

Also with this query, I can only target individual machines, with the application name (possibly answer from 1st question) is there an option to search and get the path of all affected devices for one particular application covering the entire estate.

0 Kudos

@raghuvaran_ram - I think you're mixing up different types of data a little here.

First of all, the SQL query that @adrian_ritz1 was working on above is to report on file details. You won't see details of *.jar files appearing in your query output unless you have take steps to configure and run the ndtrack inventory agent across your computers to gather those files.

This data is quite unrelated to recognized installations of log4j applications. I expect the installations you are seeing reported in the UI have been recognized based on installer evidence, not file details. You can see what evidence has been used to recognize a particular installation on a computer by looking in the "Evidence" tab when viewing the computer's inventory device record in the UI.

With that said, most applications that may be exposed to the Log4Shell vulnerability won't have "log4j" in their name: they will be arbitrary applications from other vendors that internally include the log4j component. So while looking at installations that the ARL recognizes of applications that do have "log4j" in there name may be useful as one tactic for assessing your exposure, it is only ever going to be a minor tactic.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

I supported the idea.

0 Kudos

Hi, Of course  libraries can be recognized by their name, but there is also a considerable amount of components that are located directly in the *.jar file etc.. these data cannot be read by the agent. That's probably the next big challenge, but that's where I don't think the Flexera Agent can help

akuntze
Level 3

Maybe one comment: The Managesoft reader has a filter on file extensions implemented:

FROM dbo.SoftwareFileName AS sfn WITH (NOLOCK)
WHERE RIGHT(RTRIM(sfn.Name), 4) IN ('.exe', '.sys', 'sys2', 'wtag', 'ptag', '.lax', 'dtag', '.sig')

If you want to see the results in the FNMSCompliance database, you would need to adapt the reader, too.

 

ChrisG
Community Manager Community Manager
Community Manager

There's some great discussion on this thread. Thanks everybody! A number of the ideas discussed are now covered in the following post which has just gone out: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)