Zero-day in the Log4j Java library 12.16.21
We have published a new version of our collector, release 19.361-16, which has been updated to leverage Log4j 2.16.0 and address the vulnerability related to CVE-2021-45046.
We recommend upgrading to the latest version immediately.
Our previous release, 19.361-12, which was released on December 11, 2021, upgraded Log4j to 2.15.0 to fix the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228). However, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations and we subsequently upgraded our collector (again) to leverage Log4j 2.16.0.
Utilizing the latest collector will help minimize the risk stemming from any new information released surrounding this vulnerability. It is critical that all collectors installed are upgraded to the latest release to ensure that any potential undiscovered or undisclosed issues in prior Log4j versions are not exploitable.
Resources:
Sumo Logic Collector Release Notes
Collector Update Best Practices
Upgrade Collectors using the Web Application
Upgrade Collectors using the Command Line
Thank you again for your patience and partnership, and we will continue to provide updates as soon as we know more.
If you have any additional questions or concerns, please open a case with Sumo Logic Support (support@sumologic.com).
|
