QID 730318

Date Published: 2021-12-29

QID 730318: Palo Alto Networks (PAN-OS) Log4j Multiple Vulnerabilities (PAN-184592) (Log4Shell)

PAN OS is the software that runs all Palo Alto Networks next-generation firewalls.

Apache Log4j Java library is vulnerable to a remote code execution vulnerability CVE-2021-44228, known as Log4Shell, and related vulnerabilities CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Log4Shell allows remote unauthenticated attackers with the ability to inject text into log messages to execute arbitrary code loaded from malicious servers with the privileges of the process utilizing Log4j.
Affected Versions:
PAN-OS for Panorama versions earlier than PAN-OS 9.0.15
PAN-OS for Panorama versions earlier than PAN-OS 9.1.12-h3
PAN-OS for Panorama versions earlier than PAN-OS 10.0.8-h8
QID Detection Logic (Authenticated):
This QID looks for the vulnerable version of PAN-OS

NOTE:Vulnerabilities CVE-2021-44228 and CVE-2021-45046 are applicable to Panorama hardware appliances and virtual appliances that have Elasticsearch software running. Appliances that are run in Panorama mode or Log Collector mode, and have also been part of a Collector Group, are impacted. You can determine if the appliance is part of a Collector Group by visiting 'Panorama > Managed Collectors' from the web interface and verify that Elasticsearch is running on the appliance by checking the command show system software status | match elasticsearch from the CLI. Appliances running in Management Only mode or Legacy mode, including those used for Prisma Access, are not impacted.

Apache Log4j Java library is vulnerable to a remote code execution vulnerability CVE-2021-44228, known as Log4Shell, and related vulnerabilities CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Log4Shell allows remote unauthenticated attackers with the ability to inject text into log messages to execute arbitrary code loaded from malicious servers with the privileges of the process utilizing Log4j.

  • CVSS V3 rated as Critical - 10 severity.
  • CVSS V2 rated as Critical - 9.3 severity.
    • Solution

    Refer to PAN-184592 for more information about patching this vulnerability.

    Workaround:
    For each Panorama hardware appliance and virtual appliance running in Panorama mode or Log Collector mode, that has also been part of a Collector Group, must be removed from their Collector Group in Panorama > Collector Group > Custom-CG-Name > General' from the web interface. Once affected appliances are removed from all groups, a Panorama commit and Collector Group push for all affected Collector Groups must be performed. The Collector Groups should not be deleted before performing the Collector Group push for the affected Collector Groups, else the Collector Group push will fail to remove the appliances. NOTE: When this workaround is applied, logging and reporting features in Panorama will not work. All logs stored on the appliance will be lost once it is removed from the Collector Group. Finally, all appliances that were part of the Collector Group need to be restarted to stop the use of Elasticsearch. This eliminates the exposure to CVE-2021-44228 and CVE-2021-45046. You can restart the appliance by visiting Panorama > Operations > Device Operations > Reboot Panorama from the web interface or by using the command request restart system from the CLI. Once these steps are completed, you can verify that Elasticsearch has stopped and the appliances exposure to CVE-2021-44228 and CVE-2021-45046 has been removed, by running the command show system software status | match elasticsearch from the CLI. Managed PAN-OS firewalls can be configured to forward logs to other servers until Panorama log collection functionality is restored. Alternate Log Forwarding options are detailed here: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objects-log-forwarding.html Follow the security best practices listed in Protecting Panorama and Log Collector Inbound and Outbound Communications to reduce the risk of successful exploitation of CVE-2021-44228 and CVE-2021-45046 on Panorama appliances: https://live.paloaltonetworks.com/t5/general-articles/protecting-panorama-and-log-collector-inbound-and-outbound/ta-p/454071 Additionally, use ACLs to limit network access to Panorama to only trusted users and trusted networks and IP addresses. Use App-ID for ldap and rmi-iiop to block all LDAP and RMI traffic to and from untrusted networks or unexpected sources. No other workarounds or mitigations are available for Palo Alto Networks products at this time.

    Vendor References

    CVEs related to QID 730318

    CVE-2021-44228 | CVE-2021-45046 | CVE-2021-45105 | CVE-2021-44832 |
    Software Advisories
    Advisory ID Software Component Link
    PAN-184592 URL Logo security.paloaltonetworks.com/CVE-2021-44228
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].