cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Flexera SVM expansion to include detection of log4j

I understand that Flexera SVM currently only scans .exe, .dll, and a few other file types, which unfortunately does not allow it to detect log4j and the recommendation is to follow advice from vendors of each software package.  Unfortunately, not every vendor is providing advice yet, and even if they were, most environments have unexpected software on devices.  Any way to help identify log4j in our environments are welcome.  Does Flexera have any plans to issue a new version of the agent to help us identify log4j files on our devices?  

Thanks.

(2) Replies
raslam
By Level 7 Flexeran
Level 7 Flexeran

Flexera product management posted an official article for SVM customers. Please have a look. 

https://community.flexera.com/t5/Software-Vulnerability/Identifying-Apache-Log4j-JNDI-Vulnerability-Log4Shell-CVE-2021/ba-p/217157

 

 

bkelly
By
Flexera Alumni

SVM scans for these file types in order to detect installed software using file signatures-- this is how we can definitively identify the presence of known vulnerable software. SVM does not scan systems for vulnerable files, or dig into files, but focuses on identifying the presence of vulnerable versions of software.

Our Code Insight solution can scan actual files and code to create a bill of materials that would include Log4j. Where applicable, related Secunia Advisories are offered to identify vulnerable components. However, it is outside the scope of SVM to perform such scans and there are no current plans to extend the product in this direction.

If you would like to propose such an enhancement for consideration, please submit it via our Ideas portal