i have already read the KB-000043545 - but still one question here:
Quote: "....Sophos has released a new version (9.7.2) of the Sophos Mobile EAS Proxy to address this vulnerability...."
===> So there is a new version of the EAS Proxy Standalone Edition
Quote: "...Other Sophos Mobile components.......Sophos Mobile 9.5 or higher are not using the log4j component which is affected by this vulnerability, meaning Sophos Mobile in Central and Sophos Mobile on-premise are not affected by this vulnerability......"
===> We have alreade the on-premise version 9.7.3
The Question: We use the "internal EAS proxy that is automatically installed with Sophos Mobile" => Is there still the log4j vulnerability - or was this already fixed => so just the users of the "Standalone Edition" have to update ?
Thanks for your support
Thank you for reaching out to the Sophos Community Forum.
It is my understanding that if your SMC Server installation is running a version higher than 9.5, you will not need to patch. This includes the Internal EAS Proxy that gets deployed alongside the SMC Server Installation.
If you choose to deploy the Stand-Alone EAS Proxy, and the version that is deployed is older than 9.7.2, you will need to patch. Some previous versions of the Stand-Alone EAS Proxy did not require you to upgrade the SMC Server version, however, this update will require you to be on at least SMC Server 9.6.
I have also reached out internally for further clarification. I will update this thread in the coming days with additional feedback.
It appears the included log4j in the 9.7.2 proxy version is incomplete. A new version with log4j 2.16.0 needs to be bundled.