This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Mobile EAS Proxy - log4j vulnerability

Dear Community,

i have already read the KB-000043545 - but still one question here:

Quote: "....Sophos has released a new version (9.7.2) of the Sophos Mobile EAS Proxy to address this vulnerability...."

===> So there is a new version of the EAS Proxy Standalone Edition

Quote: "...Other Sophos Mobile components.......Sophos Mobile 9.5 or higher are not using the log4j component which is affected by this vulnerability, meaning Sophos Mobile in Central and Sophos Mobile on-premise are not affected by this vulnerability......"

===> We have alreade the on-premise version 9.7.3

The Question: We use the "internal EAS proxy that is automatically installed with Sophos Mobile" => Is there still the log4j vulnerability - or was this already fixed => so just the users of the "Standalone Edition" have to update ?

Thanks for your support

Regards

Peter



This thread was automatically locked due to age.
Parents
  • Hello Peter,

    Thank you for reaching out to the Sophos Community Forum. 

    It is my understanding that if your SMC Server installation is running a version higher than 9.5, you will not need to patch. This includes the Internal EAS Proxy that gets deployed alongside the SMC Server Installation.

    If you choose to deploy the Stand-Alone EAS Proxy, and the version that is deployed is older than 9.7.2, you will need to patch. 
    Some previous versions of the Stand-Alone EAS Proxy did not require you to upgrade the SMC Server version, however, this update will require you to be on at least SMC Server 9.6.

    I have also reached out internally for further clarification. I will update this thread in the coming days with additional feedback.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Will there be an updated EAS proxy with 2.17.1 of log4j?

  • The latest release is as follows.
    - 2021-12-20 - Standalone EAS Proxy 9.7.4 with log4j 2.17.0

    To answer your question, I will need to reach out to our team to get further feedback. I will update you on this thread as more information becomes available. 

    With that being said, for someone to leverage the RCE addressed with version 2.17.1 an attacker would need to first have elevated access to your system and the risk of this being exploited is not as high. 

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • The latest release is as follows.
    - 2021-12-20 - Standalone EAS Proxy 9.7.4 with log4j 2.17.0

    To answer your question, I will need to reach out to our team to get further feedback. I will update you on this thread as more information becomes available. 

    With that being said, for someone to leverage the RCE addressed with version 2.17.1 an attacker would need to first have elevated access to your system and the risk of this being exploited is not as high. 

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children