Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 3741 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hope XG isn't affected by the Log4j exploit

Wayne Folta

Turns out that if an attacker can provide some text -- say a phony system name, etc -- that will be logged by the ubiquitous Log4j java library, they can execute arbitrary code. It's used most everywhere so the issue is much larger than Sophos, but...

nakedsecurity.sophos.com/.../



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    It's only a sample size of two, but the vulnerable library is present on the XG devices I checked just now:
    /usr/share/webconsole/WEB-INF/lib/spotbugs/lib/log4j-core-2.13.1.jar

    If Sophos say that "Sophos Firewall does not use Log4j." then i'm inclined to trust them, but it would be better if the statement read "Even though the vulnerable code is present in the XG filesystem, it is not used in any way, we just bundled it in there because someone thought it was a good idea to have it handy should the need arise." ;)

  • 0 in reply to jamesharper

    Spotbugs in SFOS will not be used in runtime of the appliance and is only a tool for the DEV part of QA. So the statement within the Advisory is still correct: Sophos Firewall does not use Log4j

    __________________________________________________________________________________________________________________

Unfiltered HTML