Security Notice: Apache Log4j Remote Code Execution (RCE) Log4shell Vulnerability (CVE-2021-44228)
Apache Log4j project disclosed CVE-2021-44228, which is a Critical (CVSS 10.0) remote code execution vulnerability affecting Apache Log4j2 version<= 2.14.1. A subsequent security patch was released on Dec 10, 2021.
SonicWall has observed widespread scanning and exploitation of this vulnerability over the internet using a publicly available PoC (Proof of Concept) exploit. SonicWall is currently investigating its product line to scope and impact, as utilization of Log4j does not immediately suggest exploitation is possible.
Please see the following resources to learn more:
@micah - SonicWall's Self-Service Sr. Manager
Comments
Any idea when SonicWall is going to clean up the ESA code?
https://community.sonicwall.com/technology-and-support/discussion/3386/es-vulnerable-to-log4shell#latest
The security advisory has been updated and as of this post states, "Firmware security patch 10.0.12 is available for download."
Please refer to the security advisory for a full update.
Kind Regards,
@micah - SonicWall's Self-Service Sr. Manager