Update SEC-INV-48: Zero-day in the Log4j Java library
Thank you for your continued patience and support; our investigation is still active, but we have determined the following:
Sumo Logic service:
- At this point, we believe the service is not vulnerable as we leverage a Java version that mitigates the vulnerability. We are continuing to monitor all possibilities.
- Additionally, we have controls on a network level that render this vulnerability less likely to be exploited.
- Out of an abundance of caution, we are updating all versions of Log4j in use to the latest release.
Sumo Logic collector:
- As of collector version 19.227-15 (released 10/2018), the JDK bundled with the collector was upgraded to 8u192. We anticipate that any collector at or above version 19.227-15 should not be affected by the known vulnerability.
- To mitigate further risk, please make sure that your Sumo Logic installed collector is using JDK of version more recent than 6u211, 7u201, 8u191, and 11.0.1, as these versions are less susceptible to the vulnerability.
- Since most collectors do not listen on the network and do not log anything that was received over the network, it should minimize any potential attack surface.
- We are working on releasing a new collector and will let you know when it’s available.
Open Source projects:
- A review found a small number of open source libraries we publish that included the vulnerable version of the library. Customers may or may not use them, but there is potential for downstream consumers to have vulnerabilities.
- The OS libraries have been upgraded and new releases are being done.
Thank you again, and we will continue to provide updates as soon as we know more.
If you have any additional questions or concerns, please open a case with Sumo Logic Support (support@sumologic.com).
|
