A new Flexera Community experience is coming on November 25th. Click here for more information.
I understand and appreciate that Flexera is looking into any possible vulnerabilities in its own products from the recent Log4J issue. However, we are getting requests from our Flexera customers to provide data on what devices this vulnerability could be present in their environments.
I see that there are 36 entries in the current ARL for products containing "log4j" in the product name (associated w/ various publishers, mostly Red Hat, Oracle, and Apache). Does anyone have an idea if this is a complete list? i.e. Will a report of all installed Log4J products give us a complete and accurate listing?
In checking some customer's FlexeraOne environments, I do see some Unrecognized File Evidence containing "log4j" in the title. Is Flexera working to map this evidence to applications?
Dec 13, 2021 07:47 AM
Dec 13, 2021 09:16 AM
Hi @AustinG thanks for the reply. I understand Flexera is assessing the exposure to Flexera's own products. My question is in regards to using FlexeraOne to detect Log4J in a customer's environment to support their own assessments and remediation efforts.
Dec 13, 2021 09:30 AM
Personally, I think that the result of a full-file scan will not provide more information than, for example, a Windows search for "log4j*". Certainly many libraries can be recognized by their name, but there is also a considerable amount of components that are located directly in the *.jar file etc.. Of course, the agent cannot read this information. I would recommend in this case that an appropriate tool is used for dedicated detection, this information is certainly already available to most IT admins. Best, Dennis
Dec 13, 2021 01:49 PM
I see that there are 36 entries in the current ARL for products containing "log4j" in the product name (associated w/ various publishers, mostly Red Hat, Oracle, and Apache). Does anyone have an idea if this is a complete list? i.e. Will a report of all installed Log4J products give us a complete and accurate listing?
Looking at installations reported by Flexera One ITAM of applications with "log4j" in their name will give some insight into where standalone installations of Log4j exist. But that is probably only a partially interesting question to be asking. The more interesting (but much harder) question is which applications across the thousands of applications that are installed in your environment use Log4j as an internal component. These applications won't identify themselves as using Log4j. I expect your major vendors will be busily working to assess and publish information about products that use this library, and that may be exposed to the CVE-2021-44228 vulnerability.
In checking some customer's FlexeraOne environments, I do see some Unrecognized File Evidence containing "log4j" in the title. Is Flexera working to map this evidence to applications?
I am aware of some work going on to review and map installer evidence that references "log4j" where appropriate. In relation to file evidence, in general I wouldn't expect that files with "log4j" in their name would be very useful for identifying particular installed applications - files with these names are used across many many thousands of applications, and so not unique enough to identify installations of particular applications.
On a partially related noted, there is an interesting discussion going on in the following thread with some ideas about how .jar file details may be gathered and reported on by directly querying data from the inventory database for organizations who are using FlexNet Manager Suite On Premises and the FlexNet inventory agent to gather inventory: Log4j vulnerability - info on how to scan and question about how to determine version on results. However unfortunately this approach is not applicable to Flexera One ITAM.
Dec 14, 2021 06:01 AM
While it is focused on FlexNet Manager Suite On Premises rather than Flexera One ITAM, the following post is somewhat related to this discussion: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite.
Dec 14, 2021 10:47 PM
Thanks @ChrisG ! This is very helpful detail. I was looking at it more from a SAM perspective but it makes sense that Log4J is a component of applications, so it may not show as a standalone application in most cases. I'll read up on the links you shared.
Dec 15, 2021 10:20 AM