Log4j Vulnerability Response Center

Log4j Response Center


Welcome to Sumo Logic’s content hub for the Log4Shell vulnerability with Apache Log4j. This is our official source of communication and updates for this ongoing and developing issue.

Facts on Apache Log4j/Log4Shell

Alerts

What is it?

Log4Shell is a critical (CVSS severity of 10) zero-day vulnerability in Apache Log4j, an open-source Java-based logging tool.

Valuable Security Insights

How is it exploited?

Hackers can leverage the initial vulnerability (CVE-2021-44228) to send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 and higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control. This is a RCE (remote code execution) attack.

Several days later the security community learned the fix to address the initial vulnerability still left Log4j open to attackers. This second vulnerability (CVE-2021-45046) allows threat actors to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DoS) attack. The Apache Software Foundation mitigated this vector by completely removing message lookups feature with their Log4j v2.16.0. As such, Sumo Logic proactively released an Installed Collector with v2.16.0 on Dec. 16th, 2021.

Alert And Notify

Who is affected?

Any server or device that uses an unpatched version of Apache Log4j is vulnerable, which is estimated at 3 billion devices at the time of the vulnerability disclosure.

Determining if you’re affected

  • If you’re using Apache Log4j logging services in your organization, please compare your version against this Apache source for details on updating to the latest version to address the recent security vulnerabilities.

  • Our Content team is actively working on developing dashboards/searches for customers to leverage to help identify potential cases of compromise within their environment.

  • Using your Sumo Logic platform, here is a common search that you can use to find current versions of the exploit that bad actors may be attempting to abuse, which may help you identify cases in your own environment:
    ("jndi:" or "{lower:j" or "{upper:j" or "-j}" or ":-j%7") | parse

  • For a deeper technical dive on hunting for this activity, check out our Log4Shell CVE-2021-44228 Situational Awareness Brief.

How Sumo Logic mitigates this vulnerability

What steps have been taken?

  • Beginning early in the morning on Dec. 10th, Sumo Logic’s security team investigated and validated the nature and severity of the exploit against potential points of compromise and determined that at NO time was Sumo Logic exploited.

  • We use a custom SumoLog4Layout library that never invokes custom lookups (as compared to Apache Log4j) so the Sumo Logic Service was never impacted.

  • Sumo Logic’s Installed Collector is designed to not invoke anything that it is receiving on the internet. Further, the logging that we do use Log4j for in our collector is for internal audit purposes only—so this never posed any significant risk. As a precaution, we released an updated Installed Collector on Dec. 11th with Log4j v2.15.0 in case the situation escalated. With the discovery of CVE-2021-45046, we updated our collector on Dec. 16th with Log4j v2.16.0.

  • Sumo Logic remains in constant communication with our customers.

  • Sumo Logic’s System Security and Global Operations Center teams continue to monitor this situation closely for any change in the nature of the vulnerability, methods of compromise, and detection bypass methods.

What should Sumo Logic customers do?

  • On Dec. 16th we published a new version of our Installed Collector, release 19.361-16, which has been updated to leverage Log4j 2.16.0 and address the vulnerability related to CVE-2021-45046. We recommend all customers upgrade their Installed Collector to this latest version immediately.

  • Please stay up to date with our latest releases to ensure any potential undiscovered or undisclosed issues in prior Log4j versions are not exploitable.

  • Sumo Logic’s Customer Support team is following up directly with customers on known vulnerable versions to ensure all customers get to a secure/safe version as soon as possible.

  • If you have any questions, please contact us at support@sumologic.com

Cloud-native architecture really matters

Built to scale

Dynamic, scalable, secure platform
We analyze more than an exabyte of data and one quadrillion records daily for over 2,300 enterprises around the world.

Multi-tenant architecture
Built for rapid deployment with consistent, continuously updated software and balanced resources across all customers.

Security by design

Built-in security from the ground up
Protect your users' data with best-in-class security technologies, rigorous security process, and daily rotated, per-customer encryption keys.

Built with security-first principle in and for the cloud
SOC 2 Type 2, PCI DSS 3.2.1, CSA Star, FedRAMP Moderate and HIPAA certifications.

Machine-learning powered analytics

Insightful analytics
Identify and predict anomalies in real-time with outlier detection and uncover root-causes using our patented LogReduce and LogCompare pattern analyses.

Powerful and intuitive query-based analytics
Unshackle power users with a rich operator library and enable all users with easy to use search templates.


You’re not alone.

EXISTING CUSTOMERS

We understand this is likely an extremely stressful time for you and your security team. If you’re a Sumo Logic customer, we want to assure you that our account team is standing by and ready to help. For any additional technical questions or concerns, please open a case with Sumo Logic Support by contacting them via email, or submitting your request.

EVERYONE

If you’re not yet a Sumo Logic customer but would like to gain a better understanding of how we’re helping organizations navigate this and future challenges, please request your own free trial.