I understand that Flexera SVM currently only scans .exe, .dll, and a few other file types, which unfortunately does not allow it to detect log4j and the recommendation is to follow advice from vendors of each software package. Unfortunately, not every vendor is providing advice yet, and even if they were, most environments have unexpected software on devices. Any way to help identify log4j in our environments are welcome. Does Flexera have any plans to issue a new version of the agent to help us identify log4j files on our devices?
Thanks.
Dec 13, 2021 06:07 PM
Flexera product management posted an official article for SVM customers. Please have a look.
https://community.flexera.com/t5/Software-Vulnerability/Identifying-Apache-Log4j-JNDI-Vulnerability-Log4Shell-CVE-2021/ba-p/217157
Dec 14, 2021 03:28 AM
SVM scans for these file types in order to detect installed software using file signatures-- this is how we can definitively identify the presence of known vulnerable software. SVM does not scan systems for vulnerable files, or dig into files, but focuses on identifying the presence of vulnerable versions of software.
Our Code Insight solution can scan actual files and code to create a bill of materials that would include Log4j. Where applicable, related Secunia Advisories are offered to identify vulnerable components. However, it is outside the scope of SVM to perform such scans and there are no current plans to extend the product in this direction.
If you would like to propose such an enhancement for consideration, please submit it via our Ideas portal.
Dec 14, 2021 12:56 PM