Sophos Mobile EAS Proxy - log4j vulnerability

Question

Dear Community, 
 
 i have already read the KB-000043545 - but still one question here: 
 
 Quote: ".... Sophos has released a new version (9.7.2) of the Sophos Mobile EAS Proxy to address this vulnerability ...." 
 ===> So there is a new version of the EAS Proxy Standalone Edition 
 
 Quote: "... Other Sophos Mobile components....... Sophos Mobile 9.5 or higher are not using the log4j component which is affected by this vulnerability, meaning Sophos Mobile in Central and Sophos Mobile on-premise are not affected by this vulnerability......" 
 ===> We have alreade the on-premise version 9.7.3 
 
 The Question: We use the "internal EAS proxy that is automatically installed with Sophos Mobile" => Is there still the log4j vulnerability - or was this already fixed => so just the users of the "Standalone Edition" have to update ? 
 
 Thanks for your support 
 Regards 
 Peter

Qoosh · Accepted Answer

Hello Peter, 
 Thank you for reaching out to the Sophos Community Forum. 
 It is my understanding that if your SMC Server installation is running a version higher than 9.5, you will not need to patch. This includes the Internal EAS Proxy that gets deployed alongside the SMC Server Installation. 
 If you choose to deploy the Stand-Alone EAS Proxy, and the version that is deployed is older than 9.7.2, you will need to patch. Some previous versions of the Stand-Alone EAS Proxy did not require you to upgrade the SMC Server version, however, this update will require you to be on at least SMC Server 9.6. 
 I have also reached out internally for further clarification. I will update this thread in the coming days with additional feedback.

Qoosh · Answer

Hi Peter, 
 The internal EAS proxy is not affected by the vulnerability. If you&rsquo;re using the Stand Alone EAS Proxy, we recommend updating to the latest version available 9.7.4. 
 If anything remains unclear, please do let me know.

Sophos Mobile EAS Proxy - log4j vulnerability

Top Replies