SVM December Update for Log4j Detection

kmantagi
Level 7 Flexeran
Level 7 Flexeran
0 11 1,718

Being aware of vulnerable software in your environment and being able to patch them to be on a secure version has become extremely critical after the exposure of the recent Apache’s Log4j vulnerability. We understand this importance and have been on top of this global issue right from the moment of its disclosure to design a solution in SVM to help you with the awareness of the presence of this extremely critical vulnerability in their environment. Today’s release of SVM adds enhancement to the host agent and the scanning logic to detect log4j files.

The SVM's Single Host Agent (v7.6.0.19) can now detect the log4j jar files installed on a host machine. The scan type must be set to either 2 or 3 for the agent to detect log4j jar files. SVM will identify the version of the detected log4j file and categorize it as Secure, Insecure and EOL, to make you aware of vulnerable log4j versions in your environment. It is important to note that only the log4j-core*.jar files are found to be vulnerable, therefore SVM detects only these files during the scan.

The log4j component may have been installed as a part of any software on a machine, however, when it is detected, SVM will associate it with the product Apache Log4j in the Scan Result view for a host. There will be a need to manually review the path of the log4j file in the scan results to identify the actual product which installed this file on the host. You must follow up with the vendor of the product to either get a patched version or follow the recommendation from the vendor to fix this vulnerable file in the product.

kmantagi_0-1640264183226.png

Secunia Advisories are authored for these vulnerabilities to give you insights about this vulnerability with details on impacted versions of log4j.

kmantagi_1-1640264183234.png

You may take advantage of Smart Groups to configure a new smart group to get a list of all the log4j versions installed across various hosts in your environment, to help you prioritize and focus on these products/hosts immediately. Under the Product Smart Groups, use the criteria as shown in the below screenshots to get the list of log4j versions in your environment:

kmantagi_4-1640265227534.png

kmantagi_5-1640265227542.png

  Smart Group results:

kmantagi_6-1640265227551.png

At this point, our goal was to give a quick solution to help you detect log4j vulnerable files in your environment for your immediate attention. We will continue monitoring updates on this vulnerability and add enhancements to this solution as and when applicable.

For the status of impacted Flexera products, please see this announcement.

11 Comments
rboden
Level 3

Thank you fore this information.  I run SVM on prem, CSIA version 7.6.1.11 and I see neither the advisories nor any log4j detections.  What is the SVM Host Agent?  Is that the same as the corporate software inspection agent we deploy?  If so, why is the version you mention less than what I already have?  What do I need to do in order to gain this valuable visibility into my env?  

Thank you.

kmantagi
Level 7 Flexeran
Level 7 Flexeran

Hello rboden,

The number after the second decimal point in the version number represents if the agent belongs to SVM cloud or on-prem. 0 represents SVM cloud agent and 1 represents SVM on-prem agent. The new version agent (v7.6.0.19) released today is for SVM cloud. An updated version of the agent for SVM on-prem with log4j detection capability will be released very soon.

Thanks  

rboden
Level 3

Very nice.  Thank you.

rboden
Level 3

I applied the December 2021 R4 update last week and I now have visibility into log4j 1.x and 2.x.  Thank you.

 

kmantagi
Level 7 Flexeran
Level 7 Flexeran

Good to know, thanks for the update @rboden.

Howardmp
Level 3

Hello ,

We have agent 7.6.0.3 with SVM cloud - should we be able to see log4j advisories and detections?

Many thanks

Shoggi
Level 5

@Howardmp 

Hi, you need 7.6.0.19 client for it to enable the log4j scans. The cloud update is done but agent need update to turn it on. 

Lukas 

Howardmp
Level 3

Hello Lucas,

Thanks for  confirming., now getting agents updates.

Another question which I'd be grateful for advice on.

If I go to All Advisories and search for SA105360 / SA105605 nothing is displayed. Will the advisories only be displayed if relevant products are found in scans or is there something else I need to do?

 

Many thanks

 

 

 

 

Shoggi
Level 5

@Howardmp 

Evening, advisory and products in cloud instance will update on 7.6.0.19 agents scanning finding  an log4j install and 1.x as EOL and 2.17.x or lower as secure or insecure. 

 

cheers

lukas 

Howardmp
Level 3

Hello Shoggi,

Thanks for confirming. will this work the same for Red Hat Linux and Mac agents?

Best regards

 

 

 

Shoggi
Level 5

@Howardmp 

We only deploy all Redhat this Friday the new agent. The 7.6.0.18 was able to find already log4j1.2. We will only see if more comes in after 7.6.0.19 went out.

Mac, we not really use and only limited scope.

 

Lukas

Product Manager
Latest Articles