[BESAdmin-Announcements] BigFix Compliance CVE-2021-44228 Log4j Vulnerability Remediation

[Announcements for BES Administrators]

BigFix Compliance versions from 2.0.1 to 2.0.4 include a version of the library Log4j which has a vulnerability. Internal testing has found so far that this vulnerability is not exploitable in the BigFix Compliance product, but still recommend immediate remediation of the library to be sure. Fixlets have been released to update the version of the library as well as a mitigating configuration option. Both fixes can be applied to ensure remediation and is recommended to apply both. The Library update will work for all affected versions of BigFix Compliance, while the configuration setting only is valid for 2.0.2 to 2.0.4.



An updated version of BigFix Compliance will be released in the future removing Log4j from the product.



Published Site: SCM Reporting, version 143



Actions to take:



If running BigFix Compliance versions 2.0.1 or later, please run the two new Fixlets in the SCM Reporting site to remediate and mitigate the vulnerability.



1008: CVE-2021-44228 Log4j - Disable Lookups for BigFix Compliance

1009: CVE-2021-44228 Log4j - Update log4j to 2.15.0 for BigFix Compliance



For more details about the actions that these Fixlet execute please see KB https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0095486


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20211214/467b0350/attachment.html>