cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Flexera’s response to Apache Log4j vulnerabilities CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44228

dosborn
Level 4 Flexeran
Level 4 Flexeran
29 85 65.3K

Summary

A critical vulnerability potentially allowing remote code execution in Apache Log4j 2 impacting all versions from 2.0-beta9 to 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.

Flexera is expanding its product impact assessment and mitigation information to also cover CVE-2021-4104CVE-2021-45046 and CVE-2021-45105 which affect earlier versions of Apache Log4j. These CVEs have lower severities than the primary CVE-2021-44228 vulnerability.

This article provides currently available information about the potential impact of these vulnerabilities on Flexera products.

For information about how Flexera's solutions can help with identifying potential exposures to log4j in other software, see the following post: Identifying Apache Log4j JNDI Vulnerability “Log4Shell” and Variants

This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.

Flexera product assessment

Product

Potential Exposure to CVE-2021-44228

Potential Exposure to CVE-2021-45046 & CVE-2021-45105

Potential Exposure to CVE-2021-4104

Potentially Exposed Components or Versions

Fixed Version

Mitigation

AdminStudio *

No

No

No

No

N/A

N/A

App Portal / App broker

No

No

No

N/A

N/A

N/A

Cloud Management Platform

No

No

Yes

Current

Pending

Pending

CloudScape / Foundation

No

No

Yes

All prior to SAAS-2021-12-29

SAAS-2021-12-29

Mitigation

Columbus

No

No

No

N/A

N/A

N/A

Data Platform

No

No

Yes

User Console (all versions)

5.5.48 (Partial - see Mitigation )

Mitigation

FlexNet Manager Suite On Premises

Yes

Yes

Yes

Flexera Analytics (Cognos) all versions

Patch


Patch

Mitigation

No

No

No

All other components

N/A

N/A

FlexNet Manager for Engineering Applications

Yes

Yes

Yes

Flexera Analytics (Cognos) all versions

Pending

Mitigation

No

No

Yes

Other components

Pending

Mitigation

Flexera One:

 

 

 

 

 

 

Cloud Cost Optimization (Optima)

No

No

Yes

Current

Pending

Pending

IT Asset Management

No

No

No

N/A

N/A

N/A

IT Visibility

No

Under assessment

Yes

Current

Pending

Pending

SaaS Management

No

No

No

N/A

N/A

N/A

Software Vulnerability Manager Cloud **

No

No

No

N/A

N/A

N/A

Software Vulnerability Manager On Premises

No

No

No

N/A

N/A

N/A

Software Vulnerability Research **

No

No

No

N/A

N/A

N/A

Spider

Yes

Yes

Yes

Enterprise Service Infrastructure (ESI)
for OneSearch functionality

Pending

Hotfix

Mitigation

No

No

No

All other components

N/A

N/A

Technopedia

No

No

No

N/A

N/A

N/A

Workflow Manager

No

No

No

N/A

N/A

N/A

 

The information on this page reflects:

  • The assessed current status of Flexera's SaaS systems.
  • The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.flexera.com/eol/default.htm.

* In an earlier revision of this page, AdminStudio 2018 was identified as potentially exposed due to the possibility that an edition of InstallShield that shipped with CodeInsight (which does include Log4j) was used. Further assessment has confirmed AdminStudio did not include this edition.

** In an earlier revision of this page, SVM Cloud and SVR were identified as potentially exposed, but the products were not affected, rather an internal tool used for logging which has been updated.

Use of Log4j in Flexera's products

Versions of Apache log4j components that are not vulnerable to CVE-2021-44228 are used in a number of Flexera's products and associated 3rd party products. Apache have identified the vulnerability applies specifically to the log4j-core JAR file versions 2.0-beta9 to 2.14.1.

See the following page for details: https://logging.apache.org/log4j/2.x/security.html.

Other log4j components (such as the log4j-api-2.* JAR file) in this version range have not been identified as vulnerable.

Related information

Change log

2021-12-12 6:05pm CST: Initial advisory.

2021-12-13 6:45pm CST: Update with current assessment details for Flexera products.

2021-12-13 7:30pm CST: Update potential exposure status of Software Vulnerability Manager Cloud and Software Vulnerability Research after remediation activity performed by Flexera.

2021-12-13 11:35pm CST: Update potential exposure status of CloudScape / Foundation after remediation activity performed by Flexera.

2021-12-14 2:10am CST: Add initial comments about mitigation approach for Spider.

2021-12-14 4:50am CST: Add assessments for Cloud Management Platform and individual Flexera One products. 

2021-12-14 7:50am CST: Note AdminStudio 2019 as no longer considered potentially exposed.

2021-12-14 4:45pm CST: Note Flexera Analytics (Cognos) as potentially exposed. Add notes on product versions that have been assessed. Add link to mitigation guidance for Spider.

2021-12-14 7:41pm CST:  Columbus assessment has been updated to not potentially exposed.

2021-12-15 7:05am CST: Note AdminStudio 2018 is no longer considered potentially exposed.

2021-12-15 9:33am CST: Add links to mitigation details for Flexera Analytics (Cognos) for FlexNet Manager Suite On Premises and FlexNet Manager for Engineering Applications.

2021-12-15 11:40pm CST: Update list of affected Log4j 2 versions based on latest information published by Apache. Add notes about the use of Log4j in Flexera's products.

2021-12-15 11:50pm CST: Updated status of Flexera One IT Visibility to show as not potentially exposed.

2021-12-16 1:15am CST: Updated status of Flexera One SaaS Manager to not potentially exposed after remediation activity performed by Flexera.

2021-12-17 11:11 am CST: Updated to include CVE-2021-4104 and CVE-2021-45046.

2021-12-17 12:17 am CST: Updated assessment details on CVE-2021-4104 and CVE-2021-45046.

2021-12-20 11:44 pm CST: Added linked to Spider mitigation details.

2021-12-23 11:26 pm CST:  Added CVE-2021-45105. Split CVE-2021-4104 into its own column. Updated statuses of products.

2021-12-29 5:42 pm CST: Add details of potentially exposed and fixed versions of Data Platform. Updated status of Technopedia to show as not potentially exposed to CVE-2021-4104. Update description of affected Log4j 2 versions based on latest information published by Apache.

2021-12-30 1:06 pm CST: Add link to Data Platform mitigation article.

2021-12-30 10:20pm CST: Clarify that components in FlexNet Manager for Engineering Applications apart from Cognos may be vulnerable to CVE-2021-4104.

2022-01-06 10:51pm CST: Clarify that other Spider components apart from ESI are not known to be exposed, and show a fix for the Spider ESI component as "pending" as consideration is given to whether a fix may be feasible.

2022-01-10 1:42pm CST: Updated Cloud Cost Optimization (Optima) of Potential Exposure to CVE-2021-45046, CVE-2021-45105 to no.

2022-01-13 9:19pm CST: Updated SaaS Management of Potential Exposure to CVE-2021-45046, CVE-2021-45105 to no.

2022-01-14 1:43pm CST:  Updated Data Platform's Potential Exposure to CVE-2021-4104 status to "Under investigation"

2022-01-18 10:18pm CST: Updated IT Asset Management's Potential Exposure to CVE-2021-45046, CVE-2021-45105 status to "No".

2022-01-28 5:00am CST: Added link to article about mitigating Log4j 1.2 vulnerability for FlexNet Manager for Engineering Applications.

2022-02-01 10:58pm CST: Updated Data Platform's Potential Exposure to CVE-2021-4104 status to "Yes", Potentially Exposed Components or Versions to "User Console (all versions)", Fixed Version to "5.5.48 (Partial. See "Mitigation"), and added link to the mitigation article under Mitigation

2022-02-21 4:30am CST: Add fix version and link to mitigation details for potential vulnerability exposure in CloudScape / Foundation.

85 Comments
mfranz
Level 16 Champion
Level 16 Champion

Any products that can be ruled out yet? I would assume FNMS is not impacted as log4net is used.

raghuvaran_ram
Level 6

I only see log4j application evidence under installations and not under file. even though I know there is a file placed in the folder it's not picked by FNMS. is there any other way I can extract a report?

 

Note: I have validated my selection Under discovery & inventory settings  and I have chosen the option "collect file evidence for all folders" and we are using FNMS 2021 R1 on-prem

Shoggi
Level 5

Can we get a statement what SVM supports or does not support in products and detection rules please?

ChrisG
Community Manager Community Manager
Community Manager

@mfranz - keep watching this post for updates as they become available.

@raghuvaran_ram and @Shoggi - your questions are good, and could trigger some interesting discussion. I would suggest you post your queries under the FlexNet Manager and Software Vulnerability Management forums respectively to connect there with users and experts in the Flexera products you're working and with who may be able to share some ideas and insight.

didiercottereau
Level 4

Hello,

I saw that TOMCAT don't upload log4j module.

So we need to have tomcat in the searches but we haven't the Log4J version

is it special to us ?

Thank you for your help 

jholcomb
Level 3

Has anyone heard any response from Flexera?

dennis_reinhardt

First own investigations have shown the following:

 

But let's wait for some feedback from Flexera

ChrisG
Community Manager Community Manager
Community Manager

@dennis_reinhardt - the products you've noted above are now listed with a potential exposure of "no" in the table included in the recently updated current status in this post. I believe the specific log4j versions used in these products as released by Flexera are not subject to the CVE-2021-44228 vulnerability.

jefflaing
Level 4

I don't see the FlexNet Operations Portal listed?  Does that fall under some other product these days?

(I realise that its an end-of-life product, but it's still being used)

ChrisG
Community Manager Community Manager
Community Manager

This post has been updated: The potential exposure status of Software Vulnerability Manager Cloud and Software Vulnerability Research has been set to "no" after remediation activity performed by Flexera.

ChrisG
Community Manager Community Manager
Community Manager

@jefflaing - for information about potential exposure in Revenera products like FlexNet Operations, please see the following post: Revenera’s response to Apache Log4j 2 remote code execution vulnerability CVE-2021-44228

(This post covers Flexera products only.)

jefflaing
Level 4

@ChrisG Yes, the penny finally dropped that there are two pages here, both listing "FlexNet" products.

When we purchased FNO, it was definitely from Flexera which is why I expected to see it listed here, not there.

junaid_vengadan
Level 7

Team, 

 

Any updates from IBM  on cognos,  it is using log4j2 right?

Regards,

junaid vengadan 

ChrisG
Community Manager Community Manager
Community Manager

@junaid_vengadan - I've done some searching for updates published by IBM about this vulnerability. Some comments have been published here, but I haven't found any direct statements specifically about Cognos. If anybody sees something concrete being posted by IBM then please post a comment here.

With that said, installations of Cognos that I have seen appear to use a version of log4j 1.x. Only log4j versions 2.0-beta9 through 2.14.1 are noted as being vulnerable to CVE-2021-44228.

ChrisG
Community Manager Community Manager
Community Manager

Another update to the status noted in this post has been made: The potential exposure status of CloudScape / Foundation has been set to "no" after remediation activity performed by Flexera.

mfranz
Level 16 Champion
Level 16 Champion

Could you please add a key? What does "N/A" mean in this context and how does it differ from an empty field or "No"?

ChrisG
Community Manager Community Manager
Community Manager

@mfranz - if a product has no known potential exposure (i.e. "No" appears in the "Potential Exposure to CVE-2021-44228" column) then the other columns are not applicable or relevant to that row so are shown with "N/A".

MartinK
Level 3

We are using Spider and now i see that it is affected. your mitigation says:

"Deactivate OneSearch and uninstall Enterprise Service Infrastructure"

Can you tell me plaeas, how i do it? Thanks in advance.

 

And what does "uninstall Enterprise Service Infrastructure" mean, does it have side effects?

akuntze
Level 3

@ChrisG We find log4j*.jar files with version 2.7 in the IBM Cognos folders of Flexera Analytics and deleted the JndiLookup.class. It seems like this does not have an impact on Flexera Analytics - at least we do not see any functional impact yet. 

ChrisG
Community Manager Community Manager
Community Manager

Thanks for the comments @MartinK and @akuntze. I'll pass these on to the appropriate Flexera teams for their attention.

@akuntze - could you confirm what version of Flexera Analytics you are working with?

akuntze
Level 3

@ChrisG we have IBM Cognos 11.0.13 in place.

ChrisG
Community Manager Community Manager
Community Manager

For awareness - further updates to this post have been updated:

  • Add initial comments about mitigation approach for Spider.
  • Add assessments for Cloud Management Platform and individual Flexera One products.
Dstracner
Level 3

FYI - I did a *log4j*  Windows Explorer search of all of my FNMS & Data Platform servers.  All returned responses of "log4j-1.2.17.jar" and appear to be OK.  There was one result (only one file) of "log4j-api-2.11.1.jar" on my DP User Console.  All other files were V1.2.17.  Can you please comment on this appearance of one file?

romanmensch
Level 5

Hi @ChrisG 

We had also Flexera Analytics (IBM Cognos) installed Version: IBM Cognos 11.0.13

With this files:

C:\Program Files\ibm\cognos\analytics\bin\ThirdPartyCertificateTool.jar C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\cognosserver\workarea\org.eclipse.osgi\117\0\.cp\log4j-core-2.7.jar C:\Program Files\ibm\cognos\analytics\wlp\usr\servers\dataset-service\workarea\org.eclipse.osgi\106\0\.cp\log4j-core-2.7.jar

What should we do?

Thanks for Feedback.

Greetings

Roman

Ronny_OO7
Level 8 Champion
Level 8 Champion

Hi Chris,

For how long back or until what product versions did Flexera check this? I can imagine that some customers are still using older versions of Flexera products. Perhaps a colom can be added?

Regards

Ronald

ChrisG
Community Manager Community Manager
Community Manager

A further update has been published to the information on this page:

caipingcba
Level 3

Is it possible to use FNMS to find out where the log4j files located across the organization? 

ChrisG
Community Manager Community Manager
Community Manager

@Dstracner - I think the following note on the page  https://logging.apache.org/log4j/2.x/security.html may answer your question about the log4j-api-2.11.1.jar file:

"Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability."

I read that as indicating a log4j-core-2.x.jar file may be a concern, but the log4j-api-2.11.jar file you're wondering about isn't a worry for CVE-2021-44228. I don't expect you should see a "log4j-core-2.x.jar" file on your Data Platform install.

ChrisG
Community Manager Community Manager
Community Manager

@caipingcba - see the following post for some ideas about using FlexNet Manager Suite On Premises to find files: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite

junaid_vengadan
Level 7

@ChrisG thanks for confirming the status for Flexera Analytics.

Can we have a an official communication ( may be an article ) on the exposure as well as mitigation plan ,SOPs , and best practices etc.

 

Regards,

Junaid Vengadan

ChrisG
Community Manager Community Manager
Community Manager

@junaid_vengadan - Flexera teams are assessing what options may be available for on premises deployments of the Cognos components in Flexera Analytics.

At this time as far as I've been able to find there as not been much information from IBM about how to mitigate the risk in Cognos, beyond what is published at https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/. I don't have a timeline for when Flexera may be able to publish any mitigation suggestions sorry, but keep watching this thread here for updates.

Narayanan
Level 2

CVE-2021-44228 - i don't see the vulnerability id updated within technopedia data platform. catalog sync is updated (last sync: 15-Dec-21); also how do we query log4j entries using Data Platform User Console ?

bibek9891
Level 3

@ChrisG  Is flexera Analytics only product that has been affected or other modules from FNMS on premise suite has also been affected.

prasad_phansalka

@ChrisG -  Regarding FNMS analytics module -  if  Cognos analytics plugin is not activated on the on- premise FNMS instance then we are not impacted due to Log4J vulnerability. Is this understanding correct? or do we still need to apply remediation when it is available? Please advise.

 

AustinG
Community Manager Community Manager
Community Manager

For awareness - further updates to this post have been updated:

  • Added mitigation for Cognos for FlexNet Manager Suite On Premises and FlexNet Manager for Engineering Applications.
ChrisG
Community Manager Community Manager
Community Manager

@bibek9891 - yes, Flexera Analytics (Cognos) is the only component in FlexNet Manager Suite On Premises that has been identified at this point as potentially exposed. If anything changes in that status (such as a confirmation being received that the potential for exposure is not actually a concern, or other components are identified as being potentially exposed) then that will be called out with an update to this page.

@prasad_phansalka - yes, if the Flexera Analytics (Cognos) component is not installed then you are not subject to the potential exposure in that component. Uninstalling Cognos is listed as one mitigation option in the mitigation article that is now linked from this article.

prasad_phansalka

@ChrisG - Thanks for the response. One more question- Is FNMS beacon server component  impacted due to Log4J vulnerability?

ChrisG
Community Manager Community Manager
Community Manager

@prasad_phansalka - no exposure to the CVE-2021-44228 vulnerability has been identified in the FlexNet Manager Suite beacon component.

prasad_phansalka

@ChrisG - Thanks for quick response, appreciate it.

ChrisG
Community Manager Community Manager
Community Manager

For people's awareness, another update to this page has been posted:

  • Update list of affected Log4j 2 versions based on latest information published by Apache.
  • Add notes about the use of Logj4 in Flexera's products.
  • Update status of Flexera One IT Visibility (not potentially exposed).
ChrisG
Community Manager Community Manager
Community Manager

And one more change to this page has been posted:

  • Updated SaaS Manager - changed to Not Potentially exposed after remediation activity performed by Flexera.
bill_irvine
Level 3

@ChrisG where can we find info re FlexNet Agent (which contains log4j-1.2.17.jar) ?

Are there any mitigations to be taken or is this version unaffected?

ChrisG
Community Manager Community Manager
Community Manager

@bill_irvine - I would guess that the FlexNet Agent that you are referring to there is a component in the FlexNet Manager for Engineering Applications (aka FNMEA) product which is listed in the table in this article. The only known potential exposure in FNMEA is in the Flexera Analytics (Cognos) component; the FNMEA agent component has been assessed as not vulnerable to CVE-2021-44228.

Based on the number in the .jar filename you're seeing it, it sounds to me like this file is related to Log4j version 1.2.17. That version of Log4j is not affected by CVE-2021-44228.

vtanana
Level 3

Data Platform on the list is a NO  but our Tanium  scans have found the below core Jars on the UC server  kettle-log4j-core-8.3.0.0-371.jar shows up in the below directories  are these impacted?

BDNA\User Console\Solution\system\cda\lib

  kettle-log4j-core-8.3.0.0-371.jar


BDNA\User Console\Tools\Tomcat\webapps\bdna\WEB-INF\lib
kettle-log4j-core-8.3.0.0-371.jar

Resnofendri
Level 7 Flexeran
Level 7 Flexeran

@vtanana,

Pentaho's "kettle" plugin version 8.3.x is using  log4j version 1.2, which is not impacted by this CVE. Please refer to this article (search for "Pentaho", you will see it is stated as "Not vuln". This article from Pentaho also reiterates this.

In any case, our Data Platform team is currently working on an updated release utilizing log4j-core v2.16 and log4j-api v2.16 regardless. We’re making our best efforts to include this update in the next Data Platform patch release (December).

Resnofendri
Level 7 Flexeran
Level 7 Flexeran

@Narayanan

Technopedia has been updated with this CVE. If you go to User Console, search for any of the impacted versions of log4j, you can see the Security content pack showing this CVE.

See for example in a couple screenshots below:

Screen Shot 2021-12-16 at 10.49.07 PM.pngScreen Shot 2021-12-16 at 10.51.48 PM.png

derrick_fields
Level 3

So within Data Platform, will I be able to create a report that shows software manufacturers/software names that have self-identified as having log4j 2.x and thus needs some kind of patch?  Our security group is looking for some kind of report that can be generated to show what is installed in our environment that would need to be patched.  

Resnofendri
Level 7 Flexeran
Level 7 Flexeran

@derrick_fields,

When the manufacturers have self-identified as having been impacted by CVE, providing that information has been published on NVD's website for this CVE, you can expect to see any installations of these impacted software releases to be shown when you create a security report on User Console (e.g. Analyzer Report using Normalize: Software Security cube).

Data Platform, however, will not be able to detect any and all software applications that have log4j 2.x embedded. This is a function of the discovery tool (i.e., if and only if the discovery tool is able to detect the installation and bring it into normalization pipeline in Data Platform, then we can map them to Technopedia and attach all the associated CVE's).

belinda_last
Level 2

Any ETA on when the patch will be ready?

 

belinda_last
Level 2

and any advice on what i can do while i wait for the patch?

Incident, Problem and Service Level Manager Melbourne, Australia