Assessment of potential exposure in Flexera One SaaS Management to CVE-2021-45046, CVE-2021-45105 has now been completed, and status updated on this page to show that there are no known potential exposures. ... View more

@Howardmp  We only deploy all Redhat this Friday the new agent. The 7.6.0.18 was able to find already log4j1.2. We will only see if more comes in after 7.6.0.19 went out. Mac, we not really use and only limited scope.   Lukas ... View more

If you don’t see anything, it is because no products with known vulnerabilities are found. You can expect new disclosures on a daily basis, so keep watching. Shoggi is correct in his statement above. I just wanted to point out that it is not the intent of SVM to scan jar files—it not a product deficiency but rather, is out of scope. SVM focuses exclusively on assessing known vulnerable software versions. It uses file signatures to determine the presence of known vulnerable software versions and matches that with research and patches to help you identify and remediate such. So, if Log4j is installed on a system, we will detect it, but that is not typically how Log4j is distributed—rather it is included as a component of another third-party application. In such a case, it will be identified as vulnerable if/when the software including it is disclosed as vulnerable, we write an advisory and create a file signature to detect it. That said, we are prioritizing a potential product enhancement that would allow SVM to provide an awareness report to identify specific components like Log4j embedded within your installed software. This would be a new use case for SVM as it would help provide awareness, but you would not be able to remediate it by patching as SVM is traditionally leveraged. This is due to the fact that the product bundling the component is what needs to be patched, so this would be a new reporting-focused use case versus a patch-focused one. Actually patching a vulnerable component will continue to require targeting the application that is shipping the component, versus the component itself. ... View more

Lucas,  The SVM only scans DLL, exe, and ocx files and cant scan and report on .jar files. At this point, we strongly recommend you contact the official product vendor and follow the vendor's official remediation process.  From the SVM perspective, we have issued a couple of advisories covering  CVE-2021-44228.  For example  SA105668 Debian update for apache-log4j2 SA105493 VMware Multiple Products Apache log4j JNDI Arbitrary Code Execution Vulnerability SA105503 Cisco Multiple Products Apache log4j JNDI Arbitrary Code Execution Vulnerability SA105528 Debian update for apache-log4j2 SA105630 Apache log4j JNDI Arbitrary Code Execution Vulnerability ... View more

It is not publicly available yet but is  scheduled to be in just a couple of weeks (in October), however, if you'd like to meet sooner, I'd be happy to show it off and get your feedback.  ... View more

Sorry for any confusion, as a back end data update, this change took place for the Threat Intelligence module for both SVR and SVM simultaneously. We happened to time it with the release of an SVR update but, as I tried to highlight in the title of this announcement, it affects both SVM and SVR.  ... View more

Great to see that you listen to customer voice 🙂 Thanks for approving the enhancement. ... View more

Hi, I have tried it.  Just it might help customers with more then one account in the cloud.   Just the solution we've asked is still not possible. I can filter now by dedicated host smart group + product smart group.   But then you end up with either Get products or get hosts csv files. We wanted to see all devices within Host Smart Group e. g. Win10 devices only and show then the unsecure software for this host smart group of the product smart group.   This is still not possible.   Regards Lukas ... View more