Apache Log4j Vulnerability
The Apache Log4j project recently disclosed CVE-2021-44228, which is a critical (CVSS 10.0) remote code execution (RCE) vulnerability affecting Apache Log4j2<= 2.14.1.
An initial security patch (Log4j 2.15.0) was released on December 10, 2021, with subsequent Log4j 2.16.0 and Log4j 2.17.0 versions published to correct additional vulnerabilities (CVE-2021-45046, CVE-2021-45105).
The SonicWall Product Security Incident and Response Team (PSIRT) has completed its initial review of the impact the Log4j 2.14.1 vulnerability has to SonicWall products. For the latest information, please see PSIRT Advisory ID SNWLID-2021-0032, which will be continually updated during this industry event.
As communicated via direct emails to impacted customers and partners, all SonicWall products are unaffected except for the following:
Email Security (On-Prem, Hosted):
If you haven’t already done so, customers using on-premises Email Security (ES) devices are strongly advised to log in to MySonicWall and upgrade to ES 10.0.13, which now uses Log4j 2.17.0 to patch additional vulnerabilities tracked via CVE-2021-45046 and CVE-2021-45105. Hosted Email Security (HES) was updated automatically to include Log4j 2.17.0.
Network Security Manager (On-Prem, SaaS):
If you haven’t already done so, NSM (On-Prem) customers are strongly advised to log in to MySonicWall and upgrade to NSM 2.3.2-R12-H2, which now uses Log4j 2.17.0 to patch additional vulnerabilities tracked via CVE-2021-45046 and CVE-2021-45105. As a precaution, the latest NSM firmware also includes an upgrade to Logback 1.2.9 to address CVE-2021-42550. Network Security Manager (NSM) SaaS was updated automatically.
WAF 3.x:
No patch required, but WAF 3.x uses some Log4j functionality. The product is only impacted when a legacy, non-supported ‘Cloud Management’ feature is enabled. Customers, who were notified on Dec. 16, are recommended to disable this feature and mitigate any risk without impacting product functionality. The feature is disabled by default. WAF 1.x and WAF 2.x are not impacted.
NEW: PSIRT is also tracking vulnerability CVE-2021-4104 related to Log4j 1.x and its impact on SonicWall products. Please reference PSIRT Advisory SNWLID-2021-0033 for updates regarding that CVE going forward.
For the latest information regarding SonicWall products and Apache Log4j 2.x, please continue to reference PSIRT Advisory ID SNWLID-2021-0032.
Read PSIRT Advisory Read Support Article
IMPORTANT: Adhering to industry best practices, SonicWall does not provide support (e.g., technical support, firmware updates/upgrades, hardware replacements) for products that have reached End-of-Support (EOS) status. View the SonicWall Product Lifecycle Table for more information.
TZ Entry Level Firewall Series
A high-performance integrated threat prevention platform for small/medium organisations and distributed enterprises
Get high-speed threat prevention in a flexible, integrated security solution with the SonicWall TZ Series. Designed for small networks and distributed enterprises with remote and branch locations, the TZ Series offers five different models that can be tuned to meet your specific needs. Advanced networking and management features such as Secure SD-WAN and Zero-Touch Deployment make it easy to bring up new sites as you need. Add optional capabilities including PoE/PoE+ support and 802.11ac WiFi to create a unified security solution that protects your network and data from the latest threats over wired and wireless connections.
SonicWall Firewalls available at Comms Express:
SONICWALL TZ350 | SONICWALL TZ400 | SONICWALL TZ400 Wireless-AC | SonicWall TZ500 | SONICWALL TZ500 Wireless-AC | SONICWALL TZ600 | SONICWALL TZ600P | SONICWALL SOHO 250 | SONICWALL SOHO 250 Wireless
If you require any further information on these or any other products that we stock here at Comms Express, please do not hesitate to contact our team who will be only too happy to help.
