cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Flexera’s response to Apache Log4j vulnerabilities CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44228

dosborn
Level 4 Flexeran
Level 4 Flexeran
29 85 68.8K

Summary

A critical vulnerability potentially allowing remote code execution in Apache Log4j 2 impacting all versions from 2.0-beta9 to 2.14.1 has been publicly disclosed. The vulnerability has been assigned the identifier CVE-2021-44228.

Flexera is expanding its product impact assessment and mitigation information to also cover CVE-2021-4104CVE-2021-45046 and CVE-2021-45105 which affect earlier versions of Apache Log4j. These CVEs have lower severities than the primary CVE-2021-44228 vulnerability.

This article provides currently available information about the potential impact of these vulnerabilities on Flexera products.

For information about how Flexera's solutions can help with identifying potential exposures to log4j in other software, see the following post: Identifying Apache Log4j JNDI Vulnerability “Log4Shell” and Variants

This is an ongoing assessment. Updates will be made to this advisory as further information becomes available.

Flexera product assessment

Product

Potential Exposure to CVE-2021-44228

Potential Exposure to CVE-2021-45046 & CVE-2021-45105

Potential Exposure to CVE-2021-4104

Potentially Exposed Components or Versions

Fixed Version

Mitigation

AdminStudio *

No

No

No

No

N/A

N/A

App Portal / App broker

No

No

No

N/A

N/A

N/A

Cloud Management Platform

No

No

Yes

Current

Pending

Pending

CloudScape / Foundation

No

No

Yes

All prior to SAAS-2021-12-29

SAAS-2021-12-29

Mitigation

Columbus

No

No

No

N/A

N/A

N/A

Data Platform

No

No

Yes

User Console (all versions)

5.5.48 (Partial - see Mitigation )

Mitigation

FlexNet Manager Suite On Premises

Yes

Yes

Yes

Flexera Analytics (Cognos) all versions

Patch


Patch

Mitigation

No

No

No

All other components

N/A

N/A

FlexNet Manager for Engineering Applications

Yes

Yes

Yes

Flexera Analytics (Cognos) all versions

Pending

Mitigation

No

No

Yes

Other components

Pending

Mitigation

Flexera One:

 

 

 

 

 

 

Cloud Cost Optimization (Optima)

No

No

Yes

Current

Pending

Pending

IT Asset Management

No

No

No

N/A

N/A

N/A

IT Visibility

No

Under assessment

Yes

Current

Pending

Pending

SaaS Management

No

No

No

N/A

N/A

N/A

Software Vulnerability Manager Cloud **

No

No

No

N/A

N/A

N/A

Software Vulnerability Manager On Premises

No

No

No

N/A

N/A

N/A

Software Vulnerability Research **

No

No

No

N/A

N/A

N/A

Spider

Yes

Yes

Yes

Enterprise Service Infrastructure (ESI)
for OneSearch functionality

Pending

Hotfix

Mitigation

No

No

No

All other components

N/A

N/A

Technopedia

No

No

No

N/A

N/A

N/A

Workflow Manager

No

No

No

N/A

N/A

N/A

 

The information on this page reflects:

  • The assessed current status of Flexera's SaaS systems.
  • The assessed status of all versions of Flexera's products that are still supported (that is, they have not yet reached their End of Life). Product lifecycle dates can be found at https://docs.flexera.com/eol/default.htm.

* In an earlier revision of this page, AdminStudio 2018 was identified as potentially exposed due to the possibility that an edition of InstallShield that shipped with CodeInsight (which does include Log4j) was used. Further assessment has confirmed AdminStudio did not include this edition.

** In an earlier revision of this page, SVM Cloud and SVR were identified as potentially exposed, but the products were not affected, rather an internal tool used for logging which has been updated.

Use of Log4j in Flexera's products

Versions of Apache log4j components that are not vulnerable to CVE-2021-44228 are used in a number of Flexera's products and associated 3rd party products. Apache have identified the vulnerability applies specifically to the log4j-core JAR file versions 2.0-beta9 to 2.14.1.

See the following page for details: https://logging.apache.org/log4j/2.x/security.html.

Other log4j components (such as the log4j-api-2.* JAR file) in this version range have not been identified as vulnerable.

Related information

Change log

2021-12-12 6:05pm CST: Initial advisory.

2021-12-13 6:45pm CST: Update with current assessment details for Flexera products.

2021-12-13 7:30pm CST: Update potential exposure status of Software Vulnerability Manager Cloud and Software Vulnerability Research after remediation activity performed by Flexera.

2021-12-13 11:35pm CST: Update potential exposure status of CloudScape / Foundation after remediation activity performed by Flexera.

2021-12-14 2:10am CST: Add initial comments about mitigation approach for Spider.

2021-12-14 4:50am CST: Add assessments for Cloud Management Platform and individual Flexera One products. 

2021-12-14 7:50am CST: Note AdminStudio 2019 as no longer considered potentially exposed.

2021-12-14 4:45pm CST: Note Flexera Analytics (Cognos) as potentially exposed. Add notes on product versions that have been assessed. Add link to mitigation guidance for Spider.

2021-12-14 7:41pm CST:  Columbus assessment has been updated to not potentially exposed.

2021-12-15 7:05am CST: Note AdminStudio 2018 is no longer considered potentially exposed.

2021-12-15 9:33am CST: Add links to mitigation details for Flexera Analytics (Cognos) for FlexNet Manager Suite On Premises and FlexNet Manager for Engineering Applications.

2021-12-15 11:40pm CST: Update list of affected Log4j 2 versions based on latest information published by Apache. Add notes about the use of Log4j in Flexera's products.

2021-12-15 11:50pm CST: Updated status of Flexera One IT Visibility to show as not potentially exposed.

2021-12-16 1:15am CST: Updated status of Flexera One SaaS Manager to not potentially exposed after remediation activity performed by Flexera.

2021-12-17 11:11 am CST: Updated to include CVE-2021-4104 and CVE-2021-45046.

2021-12-17 12:17 am CST: Updated assessment details on CVE-2021-4104 and CVE-2021-45046.

2021-12-20 11:44 pm CST: Added linked to Spider mitigation details.

2021-12-23 11:26 pm CST:  Added CVE-2021-45105. Split CVE-2021-4104 into its own column. Updated statuses of products.

2021-12-29 5:42 pm CST: Add details of potentially exposed and fixed versions of Data Platform. Updated status of Technopedia to show as not potentially exposed to CVE-2021-4104. Update description of affected Log4j 2 versions based on latest information published by Apache.

2021-12-30 1:06 pm CST: Add link to Data Platform mitigation article.

2021-12-30 10:20pm CST: Clarify that components in FlexNet Manager for Engineering Applications apart from Cognos may be vulnerable to CVE-2021-4104.

2022-01-06 10:51pm CST: Clarify that other Spider components apart from ESI are not known to be exposed, and show a fix for the Spider ESI component as "pending" as consideration is given to whether a fix may be feasible.

2022-01-10 1:42pm CST: Updated Cloud Cost Optimization (Optima) of Potential Exposure to CVE-2021-45046, CVE-2021-45105 to no.

2022-01-13 9:19pm CST: Updated SaaS Management of Potential Exposure to CVE-2021-45046, CVE-2021-45105 to no.

2022-01-14 1:43pm CST:  Updated Data Platform's Potential Exposure to CVE-2021-4104 status to "Under investigation"

2022-01-18 10:18pm CST: Updated IT Asset Management's Potential Exposure to CVE-2021-45046, CVE-2021-45105 status to "No".

2022-01-28 5:00am CST: Added link to article about mitigating Log4j 1.2 vulnerability for FlexNet Manager for Engineering Applications.

2022-02-01 10:58pm CST: Updated Data Platform's Potential Exposure to CVE-2021-4104 status to "Yes", Potentially Exposed Components or Versions to "User Console (all versions)", Fixed Version to "5.5.48 (Partial. See "Mitigation"), and added link to the mitigation article under Mitigation

2022-02-21 4:30am CST: Add fix version and link to mitigation details for potential vulnerability exposure in CloudScape / Foundation.

85 Comments
ChrisG
Community Manager Community Manager
Community Manager

@belinda_last - please see the links in the "Mitigation" column of the table for the Flexera product(s) that you are working with in the main table contained in this article for guidance on mitigation recommendations that can be performed now.

onazlie
Level 4

@ChrisG , as per latest update from our company security team, it is determined that log4j 1.x is vulnerable to CVE-2021-4104. 

Quoted below:

"Log4j 1.x does not use JNDI lookups by default. However, if a JMSAppender is configured in the Log4j properties (e.g: log4j.xml or log4j.properties), this would positively confirm the application is vulnerable to CVE-2021-4104. It is recommended to upgrade to the latest supported Log4j version if  the current version is 1.x, even if JMSAppender is not configured."

Log4j 1.x is found in FNMEA Agent installation, I am aware that you have replied to Bill on 16 Dec that FNMEA agent is not affected by CVE-2021-44228, however as per the update, it is now affected by CVE-2021-4104. 

My question will be, what is Flexera stand on this? Any mitigation suggested for FNMEA Agent?

ChrisG
Community Manager Community Manager
Community Manager

@onazlie - the technical teams are still assessing whether the existence of the Log4j 1.x files in the FNMEA agent installation result in a potential exposure to CVS-2021-4104. At this point this is listed as "Under assessment" in the table in this article, and we'll get it updated as further insights from the ongoing assessment come through.

bharath_malli
Level 3

@Resnofendri: As mentioned, In your earlier comment on December 16th, that the Flexera product team is trying to upgrade Dataplatfrom to use version 2.16 and this will be implemented in the next patch..

Can you let us know if the new patch is now available, please?

lkwinchester
Level 2

Do we have an ETA on a patch for Data Platform and Technopedia for Potential Exposure to CVE-2021-4104?  My security department is riding me pretty hard about this. 

ChrisG
Community Manager Community Manager
Community Manager

An update has been published to this article to:

  • Add details of potentially exposed and fixed versions of Data Platform.
  • Updated status of Technopedia to show as not potentially exposed to CVE-2021-4104.
  • Update description of affected Log4j 2 versions based on latest information published by Apache.

CC @bharath_malli and @lkwinchester

bill_irvine
Level 3

Where is FNMEA Agent listed in this table?

We are using FNMEA 2020 and Agent version 5.6.0 which contains  log4j-1.2.17. It's not clear what the position is on this version.

ChrisG
Community Manager Community Manager
Community Manager

@bill_irvine - good question. The current assessment status is that FNMEA components (including the FNMEA Agent) apart from Cognos used in Flexera Analytics may be vulnerable to CVE-2021-4104, but there is no known exposure in those components to the primary critical CVE-2021-44228 vulnerability.

We've updated the table in this article to hopefully make this clearer.

dglass
Flexera Alumni

Hi Team - 

Do we have an update on when Potential Exposure to CVE-2021-45046, CVE-2021-45105 will have a disposition instead of under assessment? Any insight would be great appreciated. This is for Flexera One ITAM. Just looking for ETA times. 

Ronny_OO7
Level 8 Champion
Level 8 Champion

Hi Chris/Flexera

According to : https://www.ibm.com/support/pages/node/6526474

There is an patch available

IBM Cognos Analytics 11.0.6 to 11.0.13 FP4

Can Flexera make this patch availlable? You need an IBM account with support contract in order to download.

 

Thanks and Regards

Ronald

ChrisG
Community Manager Community Manager
Community Manager

@Ronny_OO7 - the Cognos patch from IBM that you've noted is for a standalone install of Cognos, but doesn't directly work with Flexera Analytics. Flexera are working with IBM to explore what may be needed to get a Cognos patch that will work in Flexera Analytics. In the meantime, the guidance in the mitigation article remains current and effective.

Ronny_OO7
Level 8 Champion
Level 8 Champion

HI ChrisG, 

Thanks that's what I was afraid for.

The only issue now is that customers receive the choise or remove Cognos or install the patch. Since the patch will break FNMS Cognos only alternative is remove Cognos for the time being or shutting the server down.

Is there an expected timeline for the fix to be compatible with FNMS?

 

Regards

Ronald

ChrisG
Community Manager Community Manager
Community Manager

@Ronny_OO7 - there is no choice to install a patch for Cognos in Flexera Analytics at this point. No timeline available for when a patched version of Cognos that will work with Flexera Analytics without requiring the described mitigation steps to be performed.

However instead of removing Cognos altogether, the guidance in the mitigation article provides another alternative which will allow Cognos to continue to be used: remove just the vulnerable JndiLookup class from the log4j-core-2.7.jar file. This class is not used in a normal configuration of Cognos with Flexera Analytics, so removing it will not normally cause anything to break. Anecdotally, I believe this is the approach that most organizations are taking as it typically has no impact (instead of removing Cognos which has a significant impact).

chirag_sharma2
Level 7

Hi @ChrisG 

I am waiting to see the results of FlexeraOne - IT Asset Management. However, I am little confused if agents running on machines are considered as on-premises?

If yes, which agent version is vulnerable ? & what are the recommendations? 

Ronny_OO7
Level 8 Champion
Level 8 Champion

Thanks Chris, This is also how I understood it. The only issue is that customers are scanning on the log4j-core-2.7.jar file so altouh the vulnerable file is no longer presents alarm are still being triggered. Secondly customer have the policy to install the patch so remove the file on itself is not sufficient enough for some customers. 

I am getting the impression that there is no pressure on the Flexera side to come with an fix because there is an alternative. Unfortunate not all companies like the alternative and they still expect an fix from Flexera.

ChrisG
Community Manager Community Manager
Community Manager

@chirag_sharma2 - the FlexNet inventory agent component is part of both Flexera One IT Asset Management and FlexNet Manager Suite On-premises. That particular component does not use Java, and is not potentially exposed to any of the Log4j vulnerabilities described on this page.

chirag_sharma2
Level 7

Thanks @ChrisG for confirming and sharing that knowledge but I am also trying to understand ; why it says FlexeraOne-IT Asset Management- Under assessment- Potential Exposure to CVE-2021-45046, CVE-2021-45105

cdubs76
Level 6

@ChrisG - We are running FNMEA 2019 R1, and our FNMEA servers are starting to show up on the Nessus Security scans for a file in the <path>\webapps\flexnet\web-inf folder called "log4j-1.2.17.jar"

I know the article says "pending" on FNMEA....but tools are starting to flag.  Just still in holding pattern waiting for "fix"?   I think v1 is not going to be patched--only v2.... do the newer versions of FNMEA use v2?

Shoggi
Level 5

@ChrisG , @cdubs76 , I think our all issue is that log4j 1.x is EOL since 2015. That does not help either to argue always 1.x is secure 

@logging.apache.org/log4j/1.2/

ChrisG
Community Manager Community Manager
Community Manager

Assessment of potential exposure in Flexera One SaaS Management to CVE-2021-45046, CVE-2021-45105 has now been completed, and status updated on this page to show that there are no known potential exposures.

ChrisG
Community Manager Community Manager
Community Manager

The assessment of Flexera One ITAM for potential exposure to CVE-2021-45046 and CVE-2021-45105 has been completed, and the status has been consequently updated on this page to "No".

vtanana
Level 3

The target version of LOG4J by our security team is 2.17.1.   Is Flexera migrating to this version?

bharath_malli
Level 3

@ChrisG: Am aware that Data-Platform is impacted and also Flexera has issued a patch on December 27 2021

https://community.flexera.com/t5/Data-Platform-Release-Blog/Data-Platform-5-5-48-Release-December-2021/ba-p/219150

 

Can you update the above table accordingly, please 

ChrisG
Community Manager Community Manager
Community Manager

@chirag_sharma2 - apologies for the delayed response to your query from last week about why Flexera One IT Asset Management was listed as "Under Assessment" for some of the vulnerabilities. This is because the activities to scan and assess the code and systems involved in that product were still underway at that point in time. This activity has now been completed, and as per my most recent comment there has been no potential exposure found.

ChrisG
Community Manager Community Manager
Community Manager

@vtanana - Flexera is taking an approach of upgrading Log4j components in many instances. This is combined with other strategies (which are commonly being applied by many other organizations too), such as applying other mitigations recommended by Apache and our software suppliers, reviewing and testing firewall configurations, and removing log4j components. The specific approaches taken to mitigate each potential vulnerability that is identified are determined on a case-by-case basis.

ChrisG
Community Manager Community Manager
Community Manager

@bharath_malli - I've been checking for the latest info on the status of Data Platform for you, and will confirm.

ChrisG
Community Manager Community Manager
Community Manager

This post has been updated to add a link to the following article: FlexNet Manager for Engineering Applications mitigation for Apache Log4j 1.2 vulnerability CVE-2021-4104.

ChrisG
Community Manager Community Manager
Community Manager

@bharath_malli - information about the potential exposure of Data Platform has now been updated based on latest analysis, and a link to the mitigation article added back to the table in this article.

ChrisG
Community Manager Community Manager
Community Manager

This article has been updated with a fix version and link to mitigation details for potential vulnerability exposure in CloudScape / Foundation.

Ronny_OO7
Level 8 Champion
Level 8 Champion

Hello Chris,

The fix for FNMS was expected to be delivered last week. Do you know what the latest status is? Regards

Ronald

ChrisG
Community Manager Community Manager
Community Manager

@Ronny_OO7 - as per the table in this post the core FlexNet Manager Suite components are not known to be exposed to log4j vulnerabilities, and I'm not aware of any fix that is being planned.

If you're looking for Flexera Analytics/IBM Cognos information, the table in this article contains a link to the following post with some information: Patching the IBM Cognos Server to Mitigate Apache Log4j Security Vulnerabilities.

daniel_rueegg
Level 2

The search feature was very much apprechiated by our users. 

Any idea when a fix will be provided to bring back the search functionality? 

Thanks

jborchers
Moderator Moderator
Moderator

@daniel_rueegg - For Spider we are planning to replace the OneSearch capability, that was very much appreciated by many customers, with the next Spider Feature release. This is planned for end of Q2 2022. 

TeriStevenson
Level 8

My cyber security team is taking a hard stance for log4j 2.17.0 and stating it needs to be updated by May 2022 to version 2.17.1 even if the products are not affected.  They are also taking a hard stance on the old log4j version 1.2 being used in Data Platform even though Pentaho states there is no exposure.  What are the plans to update these versions?

Resnofendri
Level 7 Flexeran
Level 7 Flexeran

@TeriStevenson,

I responded to a similar question that you posted on Data Platform blog. Please take a look and let us know if you have any further questions.

Incident, Problem and Service Level Manager Melbourne, Australia