Information regarding Log4j vulnerabilities and ePolicy Orchestrator
Last Modified: 2022-01-11 18:25:02 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Information regarding Log4j vulnerabilities and ePolicy Orchestrator
Technical Articles ID:
KB95109
Last Modified: 2022-01-11 18:25:02 Etc/GMT Environment
ePolicy Orchestrator (ePO) 5.10
Summary
This article provides supplemental information to SB10377, regarding on-premises ePO and the log4j vulnerabilities. The CVEs involved include:
You can find information about our malware coverage for log4shell in KB95091 - McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution. Hotfix release details To respond as rapidly as possible, two hotfixes were released for ePO which incremented log4j. Both of these hotfixes have been pulled from our download site because they’re no longer needed with the release of ePO 5.10 Update 12.
IMPORTANT:
Frequently Asked Questions If I have installed ePO 5.10 Update 11 Hotfix 1, must I upgrade to ePO 5.10 Update 12? Yes. ePO 5.10 Update 11 Hotfix 1 addressed CVE-2021-44228, but it doesn’t address CVE-2021-45046 or CVE-2021-45105. If I have installed ePO 5.10 Update 11 Hotfix 2, must I upgrade to ePO 5.10 Update 12? It is not needed, but you can. No additional vulnerabilities are addressed between ePO 5.10 Update 11 Hotfix 2 and ePO 5.10 Update 12 because ePO isn’t vulnerable to CVE-2021-44832. See KB95123 - ePolicy Orchestrator Sustaining Statement (SSC2112291) - Response to Log4j vulnerability CVE-2021-44832 for documentation on why ePO isn’t vulnerable to CVE-2021-44832. If ePO isn’t vulnerable to CVE-2021-44832, why does ePO 5.10 Update 12 deliver log4j version 2.17.1? A decision was made while responding to log4j that we would follow up our hotfix releases with a cumulative update release. The update only incremented log4j, and provided the latest build available at the time of the release. If I have applied ePO 5.10 Update 11 Hotfix 1 or 2, do I need to remove them before applying Update 12? No. You can remove the files you backed up when you apply the hotfixes. It’s optional, but isn’t needed. Assuming you used the same file names we recommended in the hotfix release notes, you can safely remove the files below after you apply Update 12 or later:
Why is my vulnerability scanner flagging Agent Handlers as vulnerable to one or more log4j vulnerabilities? The same cumulative update package you apply on the ePO server is used to update Agent Handlers. This package contains a copy of the log4j libraries to update the Application Server. When you apply an update to an Agent Handler, it copies the contents of the entire package to the <AH Install Dir> Why is my vulnerability scanner flagging my ePO server as vulnerable to a log4j vulnerabilities after I’ve applied Update 12? When you apply an update on the ePO server, it copies the entire update package to the This table outlines the file locations and potential problems with removing them. This table assumes you use the default ePO installation directory.
NOTE: The paths above include any subfolders in the referenced path. Do I need to remove the previously published mitigation instructions that were documented in SB10377 for ePO before or after applying ePO 5.10 Update 12? No. The mitigation instructions for ePO can be left in place; they have no negative impact on ePO. If you want to remove them, the instructions for doing so are documented in SB10377 - McAfee Enterprise products' status for "Log4Shell" (CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, and CVE-2021-45105). Do CVE-2021-44228, CVE-2021-4104, CVE-2021-45046, and CVE-2021-45105 apply to ePO 5.10 Update 10 or earlier? If not, why? None of the CVEs apply to ePO 5.10 Update 10 or earlier. For CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105, is because those vulnerabilities only apply to log4j 2.x, while ePO 5.10 Update 10 and earlier use log4j 1.2. CVE-2021-4104 applies to log4j 1.2, but you’re only vulnerable if the Affected ProductsLanguages:This article is available in the following languages: |
|