Palo Alto Networks Security Advisories / CVE-2021-44228

CVE-2021-44228 Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832

047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required NONE
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH

Description

Apache Log4j Java library is vulnerable to a remote code execution vulnerability CVE-2021-44228, known as Log4Shell, and related vulnerabilities CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Log4Shell allows remote unauthenticated attackers with the ability to inject text into log messages to execute arbitrary code loaded from malicious servers with the privileges of the process utilizing Log4j.

These products and services are not affected by Log4Shell: Bridgecrew, Cortex Data Lake, Cortex XDR agents, Cortex XSOAR, Cortex Xpanse, Enterprise Data Loss Prevention (DLP), Expedition, the GlobalProtect app, IoT Security, Okyo Garde, PAN-DB Private Cloud, PAN-OS software running on firewalls including VM and CN series, Prisma Access, Prisma Cloud, Prisma Cloud Compute, Prisma SD-WAN (CloudGenix), SaaS Security, Traps, User-ID Agent, WildFire Appliance (WF-500), and WildFire Cloud.

We have determined that some configurations of Panorama appliances with PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 are impacted by CVE-2021-44228 and CVE-2021-45046 through the use of Elasticsearch. Fixes were released on December 20, 2021 to address both vulnerabilities on impacted PAN-OS versions. Panorama appliances are not impacted by CVE-2021-45105 and CVE-2021-44832.

NOTE: PAN-OS 8.1 and PAN-OS 10.1 versions for Panorama are not impacted by these issues. All versions of PAN-OS for firewalls and WildFire appliances are not affected.

These vulnerabilities impact Exact Data Matching (EDM) CLI application versions 1.0 - 2.0 provided by Enterprise Data Loss Prevention (DLP). Enterprise DLP is not affected by these issues.

The Palo Alto Networks Product Security Assurance team has completed evaluation of all products and services for these vulnerabilities. All cloud services with known possible impact have been remediated.

At this time, our guidance and criteria for impacted Panorama appliances remain the same for all related vulnerabilities. The Exact Data Matching (EDM) CLI application should now be upgraded to EDM CLI version 2.1 or later versions.

Product Status

VersionsAffectedUnaffected
Bridgecrew Noneall
Cortex Data Lake Noneall
Cortex XDR Agent Noneall
Cortex Xpanse Noneall
Cortex XSOAR Noneall
Enterprise Data Loss Prevention Noneall
Exact Data Matching CLI < 2.1>= 2.1
Expedition Noneall
GlobalProtect App Noneall
IoT Security Noneall
Okyo Garde Noneall
PAN-DB Private Cloud Noneall
PAN-OS for Firewall and Wildfire Noneall
PAN-OS for Panorama < 9.0.15, < 10.0.8-h8, < 9.1.12-h38.1.*, 10.1.*, >= 9.0.15, >= 10.0.8-h8, >= 9.1.12-h3
Prisma Access Noneall
Prisma Cloud Noneall
Prisma Cloud Compute Noneall
Prisma SD-WAN (CloudGenix) Noneall
SaaS Security Noneall
Traps Noneall
User-ID Agent Noneall
WildFire Appliance Noneall
WildFire Cloud Noneall

Required Configuration for Exposure

Vulnerabilities CVE-2021-44228 and CVE-2021-45046 are applicable to Panorama hardware appliances and virtual appliances that have Elasticsearch software running. Appliances that are run in Panorama mode or Log Collector mode, and have also been part of a Collector Group, are impacted. You can determine if the appliance is part of a Collector Group by visiting 'Panorama > Managed Collectors' from the web interface and verify that Elasticsearch is running on the appliance by checking the command ‘show system software status | match elasticsearch’ from the CLI.

Appliances running in Management Only mode or Legacy mode, including those used for Prisma Access, are not impacted.

Severity:CRITICAL

CVSSv3.1 Base Score:9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of evidence showing the exploitation of these vulnerabilities against Panorama hardware appliances, Panorama virtual appliances, or the Exact Data Matching CLI application.

More information about the vulnerability's exploitation in the wild can be found in the Unit 42 threat brief: https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

Weakness Type

CWE-94 Improper Control of Generation of Code ('Code Injection')

Solution

These issues are fixed in PAN-OS 9.0.15, PAN-OS 9.1.12-h3, PAN-OS 10.0.8-h8, and all later PAN-OS versions for Panorama hardware and virtual appliances.

NOTE: Though PAN-OS 10.1 is not impacted by the these vulnerabilities, the responsible Log4j code was removed for additional assurance from PAN-OS 10.1 versions for Panorama appliances starting with PAN-OS 10.1.4.

If Panorama is running an impacted version of PAN-OS, and you would prefer to upgrade to PAN-OS 10.1, upgrade all appliances in affected Collector Groups to the latest PAN-OS 10.1 Preferred release (PAN-OS 10.1.3-h1 at time of publication) to remediate these issues.

NOTE: Prisma Access customers should refer to the Prisma Access and Panorama version compatibility document before upgrading Panorama: https://docs.paloaltonetworks.com/compatibility-matrix/prisma-access/prisma-access-and-panorama-version-compatibility.html

NOTE: Downgrading to PAN-OS 10.0 or earlier PAN-OS versions is not currently supported once Panorama is upgraded to PAN-OS 10.1.

Workarounds are available that eliminate the exposure for these older versions of Panorama until they can be upgraded to a fixed version.

For Enterprise Data Loss Prevention customers, these issues are fixed in Exact Data Matching (EDM) CLI application version 2.1 and all later EDM CLI versions.

No updates for other Palo Alto Networks products are required at this time.

Cortex XSOAR customers that have opted to deploy Elasticsearch in their environment should refer to the Elasticsearch announcement (ESA-2021-31) for remediation information. Elasticsearch 7.16 is not supported with Cortex XSOAR:

https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Enable signatures for unique threat IDs 91991, 91994, 91995, 92001, and 92007 to block a number of known attacks against CVE-2021-44228 and CVE-2021-45046 across the network.

These signatures block the first stage of the attack. Suitable egress filtering is key to blocking the second stage of the attack. Use App-ID for ‘ldap’ and ‘rmi-iiop’ to block all LDAP and RMI to or from untrusted networks and unexpected sources.

SSL decryption needs to be enabled on the firewall to block known attacks over HTTPS.

Customers with log4j in their environments should upgrade or apply workarounds suggested by respective vendors, and not rely only on the Threat Prevention signatures.

See https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ for more details on the Palo Alto Networks product capabilities to protect against attacks that exploit this issue.

Workarounds and Mitigations

For each Panorama hardware appliance and virtual appliance running in Panorama mode or Log Collector mode, that has also been part of a Collector Group, must be removed from their Collector Group in ‘Panorama > Collector Group > Custom-CG-Name > General' from the web interface. Once affected appliances are removed from all groups, a Panorama commit and Collector Group push for all affected Collector Groups must be performed. The Collector Groups should not be deleted before performing the Collector Group push for the affected Collector Groups, else the Collector Group push will fail to remove the appliances.

NOTE: When this workaround is applied, logging and reporting features in Panorama will not work. All logs stored on the appliance will be lost once it is removed from the Collector Group.

Finally, all appliances that were part of the Collector Group need to be restarted to stop the use of Elasticsearch. This eliminates the exposure to CVE-2021-44228 and CVE-2021-45046.

You can restart the appliance by visiting ‘Panorama > Operations > Device Operations > Reboot Panorama’ from the web interface or by using the command ‘request restart system’ from the CLI.

Once these steps are completed, you can verify that Elasticsearch has stopped and the appliance’s exposure to CVE-2021-44228 and CVE-2021-45046 has been removed, by running the command ‘show system software status | match elasticsearch’ from the CLI.

Managed PAN-OS firewalls can be configured to forward logs to other servers until Panorama log collection functionality is restored. Alternate Log Forwarding options are detailed here: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objects-log-forwarding.html

Follow the security best practices listed in ‘Protecting Panorama and Log Collector Inbound and Outbound Communications’ to reduce the risk of successful exploitation of CVE-2021-44228 and CVE-2021-45046 on Panorama appliances: https://live.paloaltonetworks.com/t5/general-articles/protecting-panorama-and-log-collector-inbound-and-outbound/ta-p/454071

Additionally, use ACLs to limit network access to Panorama to only trusted users and trusted networks and IP addresses. Use App-ID for ‘ldap’ and ‘rmi-iiop’ to block all LDAP and RMI traffic to and from untrusted networks or unexpected sources.

No other workarounds or mitigations are available for Palo Alto Networks products at this time.

Frequently Asked Questions

Q. Does Panorama use Log4j?

Panorama includes Elasticsearch, which uses the Log4j library.

Panorama devices and virtual appliances running on PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 software include Elasticsearch 5.6.7 which uses Log4j 2.9.1. Only the Panorama versions listed as affected in this advisory are susceptible to RCE risks associated with Log4Shell vulnerabilities. Though the fixed versions of Panorama list the same versions of Log4J, the vulnerable Java class file has been removed from them.

Panorama with PAN-OS 8.1 includes Elasticsearch 2.2.2 with Log4j 1.2.17 and Panorama with PAN-OS 10.1 includes Elasticsearch 6.8.12 with Log4j 2.11.1. These do not have the security risks associated with Log4Shell.

Q. How was Log4j fixed in Panorama?

In fixed versions of PAN-OS for Panorama, the included Elasticsearch package was remediated through the deletion of the vulnerable Log4j JndiLookup class file. This solution is provided by Elasticsearch announcement (ESA-2021-31) and the Log4j Security Vulnerabilities Page as a complete remediation option for CVE-2021-44228 and CVE-2021-45046. Panorama appliances are not impacted by CVE-2021-45105 and CVE-2021-44832, requiring no specific fix.

NOTE: Though PAN-OS 10.1 is not impacted by these vulnerabilities, the JndiLookup.class was removed out of an abundance of caution in PAN-OS for Panorama appliances starting with PAN-OS 10.1.4.

Timeline

Panorama appliances are not impacted by CVE-2021-44832 and a new EDM CLI application fix is available
Traps is confirmed to be unaffected
Update for related vulnerability CVE-2021-44832
Clarified how Log4j was fixed in FAQ. Added note about deletion of Log4j code in PAN-OS 10.1.4
Fixes are available for impacted Panorama appliances. Updates around related vulnerability CVE-2021-45105
Update for related vulnerability CVE-2021-45046. Guidance for impacted products remains the same
Added confirmation that PAN-DB Private Cloud is unaffected
Clarifications made for Panorama appliances. Exact Data Maching CLI application is confirmed to be affected
Added ETAs for PAN-OS fixed versions and additional information
Clarification that there is no evidence of active Panorama exploitation
Some versions of Panorama are confirmed to be susceptible to remote code execution. Evaluation of all products and services is complete
UserID-Agent is confirmed to be unaffected
The impact of the vulnerability on Panorama hardware and virtual appliances is under investigation
Prisma Access and Okyo Garde are confirmed to be unaffected. Context for Panorama's Log4j usage
Product status and Threat Prevention coverage updates
Bridgecrew is confirmed to be unaffected
Panorama is confirmed to be unaffected (Update: 12/15: new information is available that changes this evaluation)
WildFire Appliance (WF-500) is confirmed to be unaffected
Initial publication
© 2022 Palo Alto Networks, Inc. All rights reserved.