By now, you’ve probably learned of Apache Log4j 2. As reported across the web, there is the recently disclosed CVE-2021-44228 vulnerability in Apache Log4j 2 (widely referred to as Log4Shell) affecting organizations far and wide. This is a critical vulnerability in Apache Log4j 2, impacting versions from 2.0-beta9 to 2.14.1.
And now you’ve likely been asking, “Where is this vulnerability within my own IT ecosystem, and how do I mitigate it if necessary?”
Flexera is helping work through the issue with our customers by ensuring immediate visibility of the impact of this and other vulnerabilities within their IT estate.
Log4j 2 from the vulnerability perspective
Alerts can be generated within Flexera vulnerability solutions based on configured watch lists and notifications settings to show:
- An up-to-date Secunia Advisory (SA105630) and further Secunia Advisories which contain detailed information on the vulnerability, including the solutions/patches and available CPEs
- CVE associated with the vulnerability as published by a trusted source (for example, the vendor Apache or MITRE)
- Threat intelligence information associated with the vulnerability patches you can publish to remediate this vulnerability for covered products as they are released by their respective vendors
Log4j 2 from the asset inventory perspective:
For more directional assessment, affected products can be detected via IT asset inventory. A definitive vulnerability status can be achieved with version granularity, but is application-specific. To find this vulnerability in internal applications, please see Revenera’s blog on Software Composition Analysis.
- Impacted software product versions being detected within inventory.
- We will continue to actively work to obtain more vulnerable product versions in order to create file signatures
- All impacted Apache Log4j products and/or releases are captured in Technopedia.
- Any existing discovered data (a.k.a., evidence) that maps to the impacted products and/or release are recognized. Note that any bespoke evidence may need to go through a gap-fill process.
- With InfoSec Content Pack:
- Impacted products will be identified with any CPEs associated with the impacted products and/or releases linked
- Up-to-date Secunia Advisory information linked to the available CPEs is provided
- CVE references associated with the vulnerabilities; the publication is dependent upon review/approval by the National Vulnerability Database (NVD)
- Threat intelligence associated with the advisory (as provided by Flexera’s Secunia Research)
- With Lifecycle and Support Content Pack:
- Lifecycle dates (EOL and/or obsolete dates) for Apache Log4j releases which can help you determine supported versions and the upgrade path(s)
Critical vulnerabilities affect organizations across the globe and span industries. As businesses build more effective vulnerability assessment and remediation processes and programs, it’s important that communication continue to expand within and around IT functions, like IT asset management, information security and security operations, as well as others who have their eyes, ears and hands on the tools to manage these breaches.
For more details and updates, see our Flexera Community.
