Q: What license is needed for log4j vulnerability assessment with Runecast?

A: For a complete assessment of Windows and Linux applications plus VMware products, a Runecast OS license plus Runecast VMware license is needed.

Log4j Assessment can be requested here.

How does the log4j vulnerability assessment work?

Runecast uses data collected by Windows and Linux agents, as well as VMware APIs to detect vulnerable log4j instances in Windows and Linux applications, as well as specific VMware products. If you only have a Runecast VMware license, products like vCenter, NSX-T, NSX-V and Horizon will be assessed for vulnerabilities.

If you have the OS license, Windows and Linux applications where the Runecast OS agent is installed will be assessed for vulnerabilities. Most VMware products come as virtual appliances and the Runecast OS agent installation isn’t a preferred method. So, if a customer wants to assess their Windows and Linux applications, as well as their VMware products, it is recommended to have both the OS licenses and the VMware licenses for Runecast.

In many cases Kubernetes nodes are run on Linux servers and Runecast will detect vulnerable log4j instances running in containers, using the method described above. You don’t need a Kubernetes license to do this, just an OS license for the Linux server where the Kubernetes node is running.