Lesen Sie den Gartner Magic Quadrant 2021 für SAM Managed Services. Hier die Ergebnisse

Log4j Remediation Steps for ILMT and BigFix Inventory Vulnerability

Software Prices

IBM sent out a notification warning of a recently identified vulnerability allowing unauthenticated remote access via the Log4j Java library. This flaw affects the VM Manager Tool (versions 9.2.21 – 9.2.25) within BigFix Inventory and ILMT. The VM Manager Tool is typically only installed on the main BigFix Server. Versions of the ILMT Server and VM Manager Tool previous to 9.2.21 contains log4j 1.x which is vulnerable to other attacks and should be upgraded as well. There are several paths for a resolution to the problem:

  • Update to VM Manager Tool version 9.2.26, then optionally perform the workaround below to upgrade log4j from version 2.15.0 to 2.17.2
  • If ILMT Server version is older than 9.2.18, perform an intermediate upgrade to 9.2.18 and then upgrade ILMT Server to 9.2.26
  • If ILMT Server version is 9.2.18 through 9.2.20, upgrade ILMT Server to 9.2.26. We’ve created guides for both Windows and Linux to help you walk through this step.

We find that providing the exact commands, screenshots, and additional insight provides more confidence when applying changes to enterprise-level applications, but if you’d like more information, or to speak with one of our experts for a free assessment regarding this vulnerability, please schedule a meeting with us.

ITAM Executive host Pete Larkin and Jeremy Pratt, Director of SAM Tech and IT, sit down to discuss the recent log4j vulnerability, who it impacts, and what you can do to fix it. 

VM Manager Tool Upgrade

1. Log in to BigFix Console

2. Click on Sites > External Sites > IBM License Reporting (ILMT) v9 > Fixlets and Tasks

3. Highlight the Update VM Manager Tool to version (9.2.26.0) fixlet

4. In the bottom-right section, click Take Action

5. Select the computer(s) that show on the right side and click OK

6. The fixlet will begin to run. When it finishes, typically within five minutes, the status will update to Completed

The VM Manager Tool is not affected by the vulnerabilities affecting log4j 2.15.0 and 2.16.0, but if you would like to upgrade to log4j 2.17.2, you can follow one of the workaround methods below.

Workaround Method

The following instructions are split up by operating system and into two methods of applying a fix: 

  1. Update the log4j version (preferable)
  2. Configure the current log4j version (if the current version is 2.10 or later)

The current log4j version can be found by looking at the log4j-api-x.x.x.jar or log4j-core.x.x.x.jar file in the following default directory: 

Linux:/var/opt/BESClient/LMT/VMMAN/lib

Windows:C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN

Linux 

Option 1 – Update the log4j version (Preferable) 

1. Download the following file: https://dlcdn.apache.org/logging/log4j/2.17.2/apache-log4j-2.17.2-bin.tar.gz

2. Unpackage the file on the server with the VM Manager Tool installed (by default the BigFix Server), by running the following command:

tar -xvf apache-log4j-2.17.2-bin.tar.gz

3. Stop the VM Manager Tool by running the following command (assuming default install location, may also be in /opt/ibm/LMT/VMMAN):

/var/opt/BESClient/LMT/VMMAN/vmman.sh -stop

4. Copy the log4j-api-2.17.2.jar and log4j-core-2.17.2.jar from inside the unpackaged directory in step 2 into the /var/opt/BESClient/LMT/VMMAN/lib directory

5. Remove the old log4j-api-x.x.x.jarand log4j-core-x.x.x.jar files from inside the var/opt/BESClient/LMT/VMMAN/lib directory

6. Edit the /var/opt/BESClient/LMT/VMMAN/vmman.sh file using a tool such as vi and change the end of the following lines from 2.xx.x to the new 2.17.2 version:

VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-api-2.17.2.jar

VMM_CLASS_PATH=$VMM_CLASS_PATH:$VMM_LOCAL_LIB/log4j-core-2.17.2.jar

 

7. Start the VM Manager Tool by running the following command in an Elevated command prompt with administrator privileges:

/var/opt/BESClient/LMT/VMMAN/vmman.sh -run


Option 2 – Set Flag to Disable Lookups

1. Stop the VM Manager Tool by running the following command (assuming default install location, may also be in /opt/ibm/LMT/VMMAN):

/var/opt/BESClient/LMT/VMMAN/vmman.sh -stop

2. Edit the /var/opt/BESClient/LMT/VMMAN/vmman.sh file using a tool such as vi and add -Dlog4j2.formatMsgNoLookups=true to the end of the VMM_PROPERTIES_DEFS line within the quotes:

 

 

 

3. Start the VM Manager Tool by running the following command in an Elevated command prompt with administrator privileges:

/var/opt/BESClient/LMT/VMMAN/vmman.sh -run

Windows

Option 1 – Update the log4j version (Preferable)

1. Download the following file: https://dlcdn.apache.org/logging/log4j/2.17.2/apache-log4j-2.17.2-bin.zip

2. Unzip the file on the server with the VM Manager Tool installed (by default the BigFix Server)

3. Stop the VM Manager Tool by running the following command (assuming default install location, may also be in C:\Program Files\ibm\LMT\VMMAN)

C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\VMMAN\vmman.bat -stop

4. Copy the log4j-api-2.17.2.jar and log4j-core-2.17.2.jar from inside the unpackaged directory in step 2 into the directory:

C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\VMMAN\lib

5. Remove the old log4j-api-x.x.x.jar and log4j-core-x.x.x.jar from inside the directory:

C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\VMMAN\lib

6. Edit the C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\VMMAN\vmman.bat file using a tool such as Notepad and change the end of the following lines from 2.xx.x to the new 2.17.2 version:

SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-api-2.17.2.jar

SET VMM_CLASS_PATH=%VMM_CLASS_PATH%;%VMM_LOCAL_LIB%/log4j-core-2.17.2.jar

 

7. Start the VM Manager Tool by running the following command in an elevated command prompt with administrative permission:

C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\VMMAN\vmman.bat -run

Option 2 – Set Flag to Disable Lookups

1. Stop the VM Manager Tool by running the following command (assuming default install location, may also be in C:\Program Files\ibm\LMT\VMMAN):

C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\VMMAN\vmman.bat -stop

2. Edit the C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\VMMAN\vmman.bat  file using a tool such as notepad and add:

SET VMM_PROPERTIES_DEFS=%VMM_PROPERTIES_DEFS% -Dlog4j2.formatMsgNoLookups=true

after the following line:

SET VMM_PROPERTIES_DEFS=%VMM_PROPERTIES_DEFS% -Dsun.net.http.allowRestrictedHeaders=true

 

3. Start the VM Manager Tool by running the following command in an elevated command prompt with administrative permission:

C:\Program Files (x86)\BigFix Enterprise\BESClient\LMT\VMMAN\vmman.bat -run

Hopefully you found this guide helpful. If you run into problems and need help, please consider contacting us to see if we can help you troubleshoot.