cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log4J Detection by FlexNet Inventory Agent

I understand and appreciate that Flexera is looking into any possible vulnerabilities in its own products from the recent Log4J issue. However, we are getting requests from our Flexera customers to provide data on what devices this vulnerability could be present in their environments.

I see that there are 36 entries in the current ARL for products containing "log4j" in the product name (associated w/ various publishers, mostly Red Hat, Oracle, and Apache). Does anyone have an idea if this is a complete list? i.e. Will a report of all installed Log4J products give us a complete and accurate listing?

In checking some customer's FlexeraOne environments, I do see some Unrecognized File Evidence containing "log4j" in the title. Is Flexera working to map this evidence to applications?

(6) Replies
AustinG
By Community Manager Community Manager
Community Manager
Hi @WStephans, Flexera is actively assessing any potential exposure of our products to the Apache Log4j2 vulnerability CVE-2021-44228 that has recently been announced. See here for details. Updates will be provided as they are available. 
Cheers,
AustinG

Hi @AustinG thanks for the reply. I understand Flexera is assessing the exposure to Flexera's own products. My question is in regards to using FlexeraOne to detect Log4J in a customer's environment to support their own assessments and remediation efforts.

Personally, I think that the result of a full-file scan will not provide more information than, for example, a Windows search for "log4j*". Certainly many libraries can be recognized by their name, but there is also a considerable amount of components that are located directly in the *.jar file etc.. Of course, the agent cannot read this information. I would recommend in this case that an appropriate tool is used for dedicated detection, this information is certainly already available to most IT admins. Best, Dennis

ChrisG
By Community Manager Community Manager
Community Manager

I see that there are 36 entries in the current ARL for products containing "log4j" in the product name (associated w/ various publishers, mostly Red Hat, Oracle, and Apache). Does anyone have an idea if this is a complete list? i.e. Will a report of all installed Log4J products give us a complete and accurate listing?

Looking at installations reported by Flexera One ITAM of applications with "log4j" in their name will give some insight into where standalone installations of Log4j exist. But that is probably only a partially interesting question to be asking. The more interesting (but much harder) question is which applications across the thousands of applications that are installed in your environment use Log4j as an internal component. These applications won't identify themselves as using Log4j. I expect your major vendors will be busily working to assess and publish information about products that use this library, and that may be exposed to the CVE-2021-44228 vulnerability.


In checking some customer's FlexeraOne environments, I do see some Unrecognized File Evidence containing "log4j" in the title. Is Flexera working to map this evidence to applications?


I am aware of some work going on to review and map installer evidence that references "log4j" where appropriate. In relation to file evidence, in general I wouldn't expect that files with "log4j" in their name would be very useful for identifying particular installed applications - files with these names are used across many many thousands of applications, and so not unique enough to identify installations of particular applications.

On a partially related noted, there is an interesting discussion going on in the following thread with some ideas about how .jar file details may be gathered and reported on by directly querying data from the inventory database for organizations who are using FlexNet Manager Suite On Premises and the FlexNet inventory agent to gather inventory: Log4j vulnerability - info on how to scan and question about how to determine version on results. However unfortunately this approach is not applicable to Flexera One ITAM.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
ChrisG
By Community Manager Community Manager
Community Manager

While it is focused on FlexNet Manager Suite On Premises rather than Flexera One ITAM, the following post is somewhat related to this discussion: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite.

(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Thanks @ChrisG ! This is very helpful detail. I was looking at it more from a SAM perspective but it makes sense that Log4J is a component of applications, so it may not show as a standalone application in most cases. I'll read up on the links you shared.