By now, you’ve probably learned of Apache Log4j 2. As reported across the web, there is the recently disclosed CVE-2021-44228 vulnerability in Apache Log4j 2 (widely referred to as Log4Shell) affecting organizations far and wide. This is a critical vulnerability in Apache Log4j 2, impacting versions from 2.0-beta9 to 2.14.1.
And now you’ve likely been asking, “Where is this vulnerability within my own IT ecosystem, and how do I mitigate it if necessary?”
Flexera is helping work through the issue with our customers by ensuring immediate visibility of the impact of this and other vulnerabilities within their IT estate.
Flexera Responds to Log4j
Flexera offers many products that can play an important role in helping to identify where you may be susceptible to software vulnerabilities such as the most recent disclosures around Log4j.
As outlined in more detail here, our products can play a role in:
- Being immediately aware of valuable vulnerability and threat intelligence regarding any disclosures affecting the software titles and vendors that you care about with our Software Vulnerability Research solution
- Identifying where vulnerable software products exist, the details to prioritize them and the patches to remediate them with our Software Vulnerability Manager (SVM) solution
- Finding where components like Log4j exist within deployment packages with our AdminStudio solution
- Identifying where impacted products and/or releases exist in your environment with the help of our IT Visibility, Asset Management, FlexNet Manager Suite, and Data Platform solutions
Keeping up with the vulnerability disclosures that affect your environment is a constant, ongoing challenge. Significant events, the likes of which triggered by by Log4j’s vulnerabilities, underscore the need to have a good handle on your assets day to day so as not to be caught scrambling.
Log4j serves as a healthy reminder for many organizations to review and improve their existing processes. The case of Log4j introduces an additional challenge as it is distributed as a component of many software titles versus always being present as its own installed software title.
Agile approach allows Flexera to adapt
Flexera too, took the opportunity to exercise the benefits of its agile approach to software development by rapidly identifying and executing on ways to help identify Log4j.
SVM quickly released an update to provide an awareness report of where Log4j may be present on endpoints. While the solution’s primary use case is to identify, prioritize and patch vulnerable software titles we recognized a need to help identify cases where the component may exist as a part of other titles that may not yet have disclosed a vulnerability or offered a patch. For details regarding this update and the capabilities delivered, click here.
AdminStudio also plays a role in helping identify potential problems with application compatibility by digging into setup files. Beyond identifying and repairing potential deployment issues, it also provides some helpful reports such as highlighting what packages contain or depend upon Java (as well as if such versions are EOL). This can help customers focus their functional acceptance testing on impacted software titles when updating Java. AdminStudio’s Windows Risk Assessment tests were enhanced to identify log4j jar files within scanned packages. For details regarding this update and the capabilities delivered, click here.
Continued support for Log4j and other vulnerabilities
As always, we will continue to identify areas of opportunity to improve and enhance our solutions to meet our customers needs. We’d value your direct participation by submitting product enhancement requests and voting on those submitted by others in our Ideas portal.
Software Vulnerability Management
The way to beat software vulnerabilities is to stay ahead of them. Addressing windows of risk is critical for reducing the odds of attacks and staying secure.
Our Secunia Research team is always at work to identify, validate, score and document vulnerabilities that demand your attention, and in this case, published a public article to help understand the Log4j vulnerability impact. As a software company itself, Flexera also quickly offered a page to identify the impact of this vulnerability on Flexera products.
Critical vulnerabilities affect organizations across the globe and span industries. As businesses build more effective vulnerability assessment and remediation processes and programs, it’s important that communication continue to expand within and around IT functions, like IT asset management, information security and security operations, as well as others who have their eyes, ears and hands on the tools to manage these breaches.
For more details and updates, see our Flexera Community.