This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Mobile EAS Proxy - log4j vulnerability

Dear Community,

i have already read the KB-000043545 - but still one question here:

Quote: "....Sophos has released a new version (9.7.2) of the Sophos Mobile EAS Proxy to address this vulnerability...."

===> So there is a new version of the EAS Proxy Standalone Edition

Quote: "...Other Sophos Mobile components.......Sophos Mobile 9.5 or higher are not using the log4j component which is affected by this vulnerability, meaning Sophos Mobile in Central and Sophos Mobile on-premise are not affected by this vulnerability......"

===> We have alreade the on-premise version 9.7.3

The Question: We use the "internal EAS proxy that is automatically installed with Sophos Mobile" => Is there still the log4j vulnerability - or was this already fixed => so just the users of the "Standalone Edition" have to update ?

Thanks for your support

Regards

Peter



This thread was automatically locked due to age.
Parents
  • Hello Peter,

    Thank you for reaching out to the Sophos Community Forum. 

    It is my understanding that if your SMC Server installation is running a version higher than 9.5, you will not need to patch. This includes the Internal EAS Proxy that gets deployed alongside the SMC Server Installation.

    If you choose to deploy the Stand-Alone EAS Proxy, and the version that is deployed is older than 9.7.2, you will need to patch. 
    Some previous versions of the Stand-Alone EAS Proxy did not require you to upgrade the SMC Server version, however, this update will require you to be on at least SMC Server 9.6.

    I have also reached out internally for further clarification. I will update this thread in the coming days with additional feedback.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • It appears the included log4j in the 9.7.2 proxy version is incomplete.  A new version with log4j 2.16.0 needs to be bundled.

Reply Children
No Data