The SonicWall Product Security and Incident Response Team (PSIRT) has determined that Network Security Manager (NSM) leverages a vulnerable Log4j version.
As previously communicated, SonicWall performed a comprehensive analysis of NSM that resulted in no observable attack vectors. To remove known or potential risk from customer environments, SonicWall has published an upgraded NSM (On-Prem) firmware to include Log4j 2.16.0, which addresses CVE-2021-44228 and CVE-2021-45046.
It is to ne noted, SonicWall will provide a follow-up NSM (On-Prem) patch to include Log4j 2.17.0, which addresses CVE-2021-45105 and CVE-2021-42550. Expected availability is Dec. 24.
You can carefully review the knowledge base (KB) article and follow guidance for firmware upgrade.
