i have already read the KB-000043545 - but still one question here:
Quote: "....Sophos has released a new version (9.7.2) of the Sophos Mobile EAS Proxy to address this vulnerability...."
===> So there is a new version of the EAS Proxy Standalone Edition
Quote: "...Other Sophos Mobile components.......Sophos Mobile 9.5 or higher are not using the log4j component which is affected by this vulnerability, meaning Sophos Mobile in Central and Sophos Mobile on-premise are not affected by this vulnerability......"
===> We have alreade the on-premise version 9.7.3
The Question: We use the "internal EAS proxy that is automatically installed with Sophos Mobile" => Is there still the log4j vulnerability - or was this already fixed => so just the users of the "Standalone Edition" have to update ?
Thanks for your support
Thank you for reaching out to the Sophos Community Forum.
It is my understanding that if your SMC Server installation is running a version higher than 9.5, you will not need to patch. This includes the Internal EAS Proxy that gets deployed alongside the SMC Server Installation.
If you choose to deploy the Stand-Alone EAS Proxy, and the version that is deployed is older than 9.7.2, you will need to patch. Some previous versions of the Stand-Alone EAS Proxy did not require you to upgrade the SMC Server version, however, this update will require you to be on at least SMC Server 9.6.
I have also reached out internally for further clarification. I will update this thread in the coming days with additional feedback.
It appears the included log4j in the 9.7.2 proxy version is incomplete. A new version with log4j 2.16.0 needs to be bundled.
"I have also reached out internally for further clarification. I will update this thread in the coming days with additional feedback."
=> Did you get some further clarification ?
Will there be an updated EAS proxy with 2.17.1 of log4j?
The latest release is as follows.- 2021-12-20 - Standalone EAS Proxy 9.7.4 with log4j 2.17.0
To answer your question, I will need to reach out to our team to get further feedback. I will update you on this thread as more information becomes available.
With that being said, for someone to leverage the RCE addressed with version 2.17.1 an attacker would need to first have elevated access to your system and the risk of this being exploited is not as high.
The internal EAS proxy is not affected by the vulnerability. If you’re using the Stand Alone EAS Proxy, we recommend updating to the latest version available 9.7.4.
If anything remains unclear, please do let me know.
The latest vulnerability disclosed for Log4j by Apache does not apply to Sophos Mobile's Stand-Alone EAS Proxy.
There will be an update to the EAS Proxy in the coming weeks to update the version of Log4j to 2.17.1 for best-practice purposes.