Sumo Logic proactively released an Installed Collector with Log4j v2.17.1 on Dec. 28th, the NVD published a 4th vulnerability ( CVE-2021-44832) as Log4j v2.17.0 was vulnerable to an RCE attack if an attacker has control of the target LDAP server. Sumo Logic proactively released an Installed Collector with v2.17.0 on Dec. 18th, the NVD published a 3rd vulnerability ( CVE-2021-45105) since the Log4j v2.16.0 didn’t protect from uncontrolled recursion from self-referential lookups, allowing an attacker to cause a DoS. Sumo Logic proactively released an Installed Collector with v2.16.0 on Dec. The Apache Software Foundation mitigated this vector by completely removing message lookups feature with their Log4j v2.16.0. This second vulnerability ( CVE-2021-45046) allows threat actors to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DoS) attack. Later the security community learned the Log4Shell vulnerability fix still left Log4j open to attackers. This is a RCE (remote code execution) attack. If you have any questions, please contact us at can leverage the initial vulnerability ( CVE-2021-44228) to send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 and higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control. Sumo Logic’s Customer Support team is following up directly with customers on known vulnerable versions to ensure all customers get to a secure/safe version as soon as possible. Please stay up to date with our latest releases to ensure any potential undiscovered or undisclosed issues in prior Log4j versions are not exploitable. We recommend all customers upgrade their Installed Collectors to this latest version immediately. 29th we published a new version of our Installed Collector, release 19.375-4, which has been updated to leverage Log4j v2.17.1 and address the vulnerability related to CVE-2021-44832. Sumo Logic’s System Security and Global Operations Center teams continue to monitor this situation closely for any change in the nature of the vulnerability, methods of compromise, and detection bypass methods. Sumo Logic remains in constant communication with our customers. 29th we updated our collector with Log4j v2.17.1 to proactively protect against CVE-2021-44832. With the discovery of CVE-2021-45105, we updated our collector on Dec. With the discovery of CVE-2021-45046, we updated our collector on Dec. 11th with Log4j v2.15.0 in case the situation escalated. As a precaution, we released an updated Installed Collector on Dec. Further, the logging that we do use Log4j for in our collector is for internal audit purposes only-so this never posed any significant risk. Sumo Logic’s Installed Collector is designed to not invoke anything that it is receiving on the internet. We use a custom SumoLog4Layout library that never invokes custom lookups (as compared to Apache Log4j) so the Sumo Logic Service was never impacted. 10th, Sumo Logic’s security team investigated and validated the nature and severity of the exploit against potential points of compromise and determined that at NO time was Sumo Logic exploited. How Sumo Logic mitigates this vulnerability What steps have been taken?īeginning early in the morning on Dec. ("jndi:" or "?)" nodropįor a deeper technical dive on hunting for this activity, check out our Log4Shell CVE-2021-44228 Situational Awareness Brief.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |