SonicWall Product (Appliance/Cloud/Virtual/On-Prem) | Status | Description |
---|
Email Security (ES) & Hosted Email Security (HES) | Impacted | Email Security (ES) 10.0.12 and earlier versions are impacted by Log4j vulnerabilities tracked via CVE-2021-44228 (ES 10.0.11 and earlier), CVE-2021-45046 and CVE-2021-45105.
SonicWall has released SonicWall Email Security firmware 10.0.13 to include the updated Log4j2 2.17.0 that patches the above vulnerabilities. Hosted Email Security (HES) was patched automatically.
IMPORTANT: All SonicWall customers using Email Security (On-Prem) devices should immediately log in to MySonicWall and upgrade to Email Security firmware 10.0.13, even if they previously upgraded to 10.0.12.
For upgrade guidance, please review the KB article, "How do I upgrade firmware on an Email Security appliance?" |
Network Security Manager (SaaS, On-Prem) | Impacted | SonicWall PSIRT review has determined NSM does use a vulnerable Log4j version. SonicWall has performed a comprehensive analysis of NSM that resulted in no observable attack vectors for the Log4j2 suite of vulnerabilities.
However, to remove known or potential risk from customer environments, SonicWall has published NSM (On-Prem) firmware 2.3.2-R12-H2 to include Log4j 2.17.0, which addresses CVE-2021-45105 and CVE-2021-42550. As a precaution, NSM 2.3.2-R12-H2 also includes an upgrade to Logback 1.2.9 to address CVE-2021-42550.
NSM (SaaS) was automatically patched to the latest firmware.
IMPORTANT: All SonicWall customers using NSM (On-Prem) devices should immediately log in to MySonicWall and upgrade to 2.3.2-R12-H2, even if they previously upgraded to 2.3.2-R12-H1.
For upgrade guidance, please review the KB article, "How do I upgrade on-prem Network Security Manager firmware?" |
Web Application Firewall (WAF) | Partially Impacted | Additional review has found that WAF 3.x uses Log4j, but only when the legacy ‘Cloud Management’ feature is enabled. SonicWall recommends customers disable 'Cloud Management' if enabled. This change will not impact functionality. This feature is disabled by default. WAF 2.x and earlier versions do not use Log4j and are not impacted. Please follow the guidance in the dedicated KB article for changing this setting. |
Gen5 Firewalls (EOS)
- TZ100/W, TZ200/W, TZ210/W
- NSA 220/W
- NSA 250M/250M-W
- NSA 2400/MX/3500/4500/5500
- NSA E5500/6500/6500/8500/8510
| Not Impacted | Log4j2 not used in the appliance. |
Gen6 Firewalls
- TZ300/W, TZ350/W, TZ400/W, TZ500/W, TZ600
- NSa 2600/2650/3600/3650/4600 /4650/5600/5650/6600/6650
- SuperMassive 9200/9400/9600/9800
- NSa 9250/9450/9650
- NSsp 12400/12800
- NSv 10/25/50/100/200/400/800/1600 (ESX, KVM, HYPER-V, AWS, Azure)
| Not Impacted | Log4j2 not used in the appliance. |
Gen7 Firewalls
- TZ270/W, TZ370/W, TZ470/W, TZ570/W, TZ670
- NSa 2700/3700/4700/5700/6700
- NSsp 10700/11700/13700/15700
- NSv 270/470/870 (ESX, KVM, HYPER-V, AWS, Azure)
| Not Impacted | Log4j2 not used in the appliance. |
SonicWall Switch
- SWS 12-8/12-8POE
- SWS 12-10FPOE
- SWS 14-24/14-24FPOE
- SWS 14-48/14-48FPO
| Not Impacted | Log4j2 not used. |
SMA 100
- SMA 200/210/400/410
- SMA 500v (ESX, KVM, Hyper-V, AWS, Azure)
| Not Impacted | Log4j2 not used. |
SMA 1000
- SMA 6200/7200/6210/7210
- SMA 8200v (ESX, KVM, Hyper-V, AWS, Azure
| Not Impacted | Version 12.x not using vulnerable Log4j version. |
MySonicWall (MSW) | Not Impacted | Log4j2 not used. |
Analyzer | Not Impacted | Version Analyzer 1.x is not using the vulnerable Log4j version. |
GMS | Not Impacted | GMS version 9.x and 8.x are not using the vulnerable Log4j version. |
Capture Client & Capture Client Portal | Not Impacted | Log4j2 not used. |
CAS | Not Impacted | Log4j2 not used. |
Access Points | Not Impacted | Log4j2 not used. |
Wireless Network Manager (WNM) | Not Impacted | Log4j2 not used. |
Capture Security Appliance | Not Impacted | Log4j2 not used. |
WXA
- WXA 2000/4000
- Virtual: WXA 5000
- Software: WXA 500, WXA 6000
| Not Impacted | WXA is not using the vulnerable Log4j version. |
CSCMA | Not Impacted | CSCMA is not using the vulnerable Log4j version. |
EPRS | Not Impacted | EPRS 1.x and 2.x are not using the vulnerable Log4j version. |
Cloud Edge | Not Impacted | Cloud Edge is not using the vulnerable Log4j version. |
Analytics | Not Impacted | Analytics is not using the vulnerable Log4j version. |