Overview
On Thursday December 9, 2021, a severe remote code vulnerability was revealed in Apache’s Log4J , a very common logging system used by developers of web and server applications based on Java and other programming languages. The vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent. Sophos has observed widespread malicious attempts to exploit internet facing services using this vulnerability.
The vulnerability makes it possible for any attacker who can inject text into log messages or log message parameters into server logs that load code from a remote server; The targeted server will then execute that code via calls to the Java Naming and Directory Interface (JNDI). JNDI interfaces with a number of network services, including the Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), Java’s Remote Interface (RMI), and the Common Object Request Broker (CORBA). Sophos has seen efforts to exploit LDAP, DNS and RMI, using a URL tagged to those services redirected to an external server.
Patches for Log4j
While there are steps that customers can take to mitigate the vulnerability, the best fix is to upgrade to the patched version, already released by Apache in Log4j 2.15.0.
Additional Log4j bugs, CVE-2021-45046 and CVE-2021-45015, have caused Apache to update Log4j from 2.15.0 to the version 2.17.0. A fourth CVE, CVE-2021-44832, was reported just after the Christmas 2021 weekend, on 2021-12-28, causing Apache to update Log4j to version 2.17.1. Sophos recommends you update to Log4j 2.17.1.
If you have already started patching with version 2.15.0 but haven't completed the update on all systems, our recommendation is to finish patching any remaining systems with 2.17.1. This ensures all systems will have a minimum version of at least 2.15.0 which addresses the critical CVE-2021-44228 vulnerability, and then you can then go back and upgrade those systems to 2.17.1 so that you have the same version everywhere.
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
| Product or Service | Status | Description |
|---|---|---|
| Cloud Optix | Patched | Users may have noticed a brief outage on Friday, December 10, 2021 around 12:30 PM UTC as updates were deployed. Sophos performed host forensics and log analysis in the Cloud Optix environment and determined that the vulnerability was not successfully exploited prior to fixes being deployed. |
| PureMessage | Not vulnerable | PMX does not use Log4j. |
| Reflexion | Not impacted | Reflexion does not run an exploitable configuration. |
| SafeGuard Enterprise (SGN) | Not vulnerable | SGN does not use Log4j. |
| SG UTM (all versions) | Not vulnerable | SG UTM does not use Log4j. |
| SG UTM Manager (SUM) (all versions) | Not vulnerable | SUM does not use Log4j. |
| Sophos Authenticator | Not vulnerable | Sophos Authenticator does not use Log4j. |
| Sophos Central | Not impacted | Sophos Central does not run an exploitable configuration. |
| Sophos Endpoint protection (Windows/Mac/Linux) | Not vulnerable | Sophos Endpoint protection (Intercept X Endpoint, Intercept X for Server) does not use Log4j. |
| Sophos Email | Patched | Sophos performed host forensics and log analysis in the Sophos Email environment and determined that the vulnerability was not successfully exploited prior to fixes being deployed. |
| Sophos Email Appliance | Not vulnerable | SEA does not use Log4j. |
| Sophos Enterprise Console (SEC) | Not vulnerable | SEC does not use Log4j. |
| Sophos Firewall (all versions) | Not vulnerable | Sophos Firewall does not use Log4j. |
| Sophos Firewall auxiliary clients | Not vulnerable | None of the Sophos Firewall auxiliary clients use Log4j:
|
| Sophos Home | Not vulnerable | Sophos Home does not use Log4j. |
| Sophos Mobile | Not impacted | Sophos Mobile (in Central, SaaS, and on-premises) does not run an exploitable configuration. |
| Sophos Mobile EAS Proxy | Impacted | The Sophos Mobile Standalone EAS Proxy was affected by CVE-2021-44228 and the fix was included in version 9.7.2 which was released on Monday December 13, 2021. The fix is also available in version 9.7.3 and all subsequent releases. Customers can download the latest version of the Standalone EAS Proxy Installer from the Sophos website. |
| Sophos RED | Not vulnerable | RED does not use Log4j. |
| Sophos Web Appliance | Not vulnerable | SWA does not use Log4j. |
| Sophos Wireless | Not vulnerable | Sophos Wireless access points do not use Log4j. |
| Sophos ZTNA | Not vulnerable | Sophos ZTNA does not use Log4j. |
| SophosLabs Intelix | Not vulnerable | SophosLabs Intelix does not use Log4j. |
How are Sophos customers protected?
Sophos Managed Threat Response (MTR) customers
Sophos is actively monitoring MTR customer accounts for post-exploit activity.
IPS Signatures
IPS signatures were published on December 11, 2021.
Sophos Firewall
- SIDs are 2306426, 2306427, 2306428, 58722, 58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58734, 58735, 58736, 58737, 58738, 58739, 58740, 58741, 58742, 58743, 58744, 58751, 58784, 58785, 58786, 58787, 58788, 58789, 58790, 58795, 58801, 58802, 58803, 58804, 58805, 58806, 58807, 58808, 58809, 58810, 58811, 58812, 58813, 2306526
Sophos Endpoint
- SIDs are 2306426, 2306427, 2306428, 2306438, 2306439, 2306440, 2306441, 2306490, 2306493, 2306494, 2306495, 2306496, 2306497, 2306499, 2306526, 2306569, 2306570, 2306571, 2306572, 2306573, 2306574
Sophos SG UTM
- SIDs are 58722, 58723, 58724, 58725, 58726, 58727, 58728, 58729, 58730, 58731, 58732, 58733, 58734, 58735, 58736, 58737, 58738, 58739, 58740, 58741, 58742, 58743, 58744, 58751, 58784, 58785, 58786, 58787, 58788, 58789, 58790, 58795, 58801, 58802, 58803, 58804, 58805, 58806, 58807, 58808, 58809, 58810, 58811, 58812, 58813
Sophos XDR customers
Sophos XDR customers can use Sophos LiveQuery to help identify vulnerable Log4j components in their environment.
Example queries are maintained on the Sophos Community forum:
- Identify vulnerable Log4j Apache components (Linux only) https://community.sophos.com/intercept-x-endpoint/i/compliance/identify-vulnerable-log4j-apache-components
- Basic search to find Log4J running on hosts from the Sophos DataLake (Windows / macOS / Linux) : https://community.sophos.com/intercept-x-endpoint/i/compliance/basic-search-to-find-log4j-running-on-hosts-from-xdr
If you identify the vulnerable component, you should update immediately and review your logs for any signs of exploitation attempts. Sophos expects that a successful exploitation will not be logged by Log4j itself, requiring correlation with other log sources.
Malicious Payload Detections
SophosLabs has published detections for the malicious payloads coming via Log4shell. The detection are predominantly for crypto miners, attack scripts and malicious java downloaders. Please note that not all of these payloads are exclusive to Log4Shell and may be arriving via another vector.
- Troj/JavaDl-AAN
- Troj/Java-AIN
- Troj/Java-AIP
- Troj/JavaDI-AAO
- Troj/BatDl-GR
- Troj/Ransom-GME
- Troj/StealthL-A
- Troj/Bckdr-RYB
- Troj/Khonsari-A
- Troj/PSDl-LR
- Mal/JavaKC-B
- XMRig Miner (PUA)
- Mal/ShellDl-A
- Mal/ExpJava-AL
- Mal/ExpJava-AN
- Mal/ExpJava-AO
- Mal/ExpJava-AQ
- App/StlthLdr-A
- Linux/DDoS-DT
- Linux/DDoS-DS
- Linux/Miner-ABU
- Linux/Miner-ADG
- Linux/Miner-ADH
- Linux/Miner-ZS
- Linux/Miner-WU
- Linux/Rootkt-M
- Linux/Swrort-G
- Linux/Miner-EQ
- Linux/DDoS-CI
- Linux/DDoS-CIA
Related Information
- Apache Log4j Security Vulnerabilities
- cve.mitre.org: CVE-2021-44228
- cve.mitre.org: CVE-2021-45046
- cve.mitre.org: CVE-2021-45105
- cve.mitre.org: CVE-2021-44832
- Naked Security: “Log4Shell” Java vulnerability – how to safeguard your servers
- Naked Security: Log4Shell explained – how it works, why you need to know, and how to fix it
- Naked Security Podcast: S3 Ep63: Log4Shell (what else?) and Apple kernel bugs
- Naked Security: Log4Shell vulnerability Number Four: “Much ado about something”
- SophosLabs Uncut: Log4Shell Hell: anatomy of an exploit outbreak
- Sophos SecOps: Log4Shell Response and Mitigation Recommendations