Determining if you’re affected

• If you’re using Apache Log4j logging services in your organization, please compare your version against this Apache source for details on updating to the latest version to address the recent security vulnerabilities.
• Our Content team is actively working on developing dashboards/searches for customers to leverage to help identify potential cases of compromise within their environment.
• Using your Sumo Logic platform, here is a common search that you can use to find current versions of the exploit that bad actors may be attempting to abuse, which may help you identify cases in your own environment:
  ("jndi:" or "{lower:j" or "{upper:j" or "-j}" or ":-j%7") | parse regex "(?<jndi_string>\$\{(?:\$\{[^\}])?j\}?(?:\$\{[^\}])?n\}?(?:\$\{[^\}])?d\}?(?:\$\{[^\}])?i.*?:}?[^,;\"\\]+}?)[\\\";,]" nodrop
• For a deeper technical dive on hunting for this activity, check out our Log4Shell CVE-2021-44228 Situational Awareness Brief.

How Sumo Logic mitigates this vulnerability

What steps have been taken?

• Beginning early in the morning on Dec. 10th, Sumo Logic’s security team investigated and validated the nature and severity of the exploit against potential points of compromise and determined that at NO time was Sumo Logic exploited.
• We use a custom SumoLog4Layout library that never invokes custom lookups (as compared to Apache Log4j) so the Sumo Logic Service was never impacted.
• Sumo Logic’s Installed Collector is designed to not invoke anything that it is receiving on the internet. Further, the logging that we do use Log4j for in our collector is for internal audit purposes only—so this never posed any significant risk. As a precaution, we released an updated Installed Collector on Dec. 11th with Log4j v2.15.0 in case the situation escalated. With the discovery of CVE-2021-45046, we updated our collector on Dec. 16th with Log4j v2.16.0. With the discovery of CVE-2021-45105, we updated our collector on Dec. 19th with Log4j v2.17.0. On Dec. 29th we updated our collector with Log4j v2.17.1 to proactively protect against CVE-2021-44832.
• Sumo Logic remains in constant communication with our customers.
• Sumo Logic’s System Security and Global Operations Center teams continue to monitor this situation closely for any change in the nature of the vulnerability, methods of compromise, and detection bypass methods.

What should Sumo Logic customers do?

• On Dec. 29th we published a new version of our Installed Collector, release 19.375-4, which has been updated to leverage Log4j v2.17.1 and address the vulnerability related to CVE-2021-44832. We recommend all customers upgrade their Installed Collectors to this latest version immediately.
• Please stay up to date with our latest releases to ensure any potential undiscovered or undisclosed issues in prior Log4j versions are not exploitable.
• Sumo Logic’s Customer Support team is following up directly with customers on known vulnerable versions to ensure all customers get to a secure/safe version as soon as possible.
• If you have any questions, please contact us at support@sumologic.com