Zero-day in the Log4j Java library (CVE-2021-44228 and CVE 2021-45046)
-
Sumo Logic Service: We have confirmed that our service is not vulnerable to Log4Shell.
-
Sumo Logic Installed Collector: We recommend an immediate upgrade of all collectors to version 19.361-12.
Sumo Logic Service details:
- After review and analysis of our Log4j usage, we are confident that the service has never been vulnerable to the Log4j lookup vulnerability.
- Despite this, out of an abundance of caution, we have been working on updating all versions of Log4j used internally to the latest version.
Sumo Logic Installed Collector details:
We are confident that ordinary operation of our current release of our collector mitigates this vulnerability. That said, below is a Sumo Logic in-depth analysis of the situation as it relates to this vulnerability.
- Our collector does utilize Log4j for its internal audit logging operations, but by design, data passing through the collector is never logged. Potential attack vectors exist but require privileged access and advanced knowledge and skills to exploit, as our internal security teams have discovered.
- We do not believe our customers are at significant risk from external parties in the ordinary operation of our collectors, including at our latest release. Industry best practices recommend that you do not allow un-sanitized external inputs to drive internal environmental configuration
- Third party verification of the above is in progress.
Supply Chain details:
- We are actively working with our supply chain partners to understand their impact regarding this vulnerability.
Open Source Project details:
As previously mentioned,
- We found a small number of open source libraries published by us that included the vulnerable version of the library. Customers may or may not use them, but there is potential for downstream consumers to have vulnerabilities.
- The OS libraries will be updated and new releases are being done.
Thank you again for your patience and partnership, and we will continue to provide updates as soon as we know more.
If you have any additional questions or concerns, please open a case with Sumo Logic Support (support@sumologic.com).
|