
As we in AFS deal predominately with network security, we will outline below the vulnerable products and the patches that you need to apply for the two major NetSec/Firewall vendor – Palo Alto Networks.
Most vendors use open source libraries which are the spinning wheel of modern day technology. We share and reuse well settled solutions and libraries of proven research. The science says “nothing is perfect, but we strive to make it less wrong”. In our networking/software case we say that we need a patch.
What is Log4j:
Apache Log4j is a Java-based logging utility. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks. It is vastly used in thousands of software products on the market today.
What is vulnerable:
Apache Log4j2 vulnerability https://logging.apache.org/log4j/2.x/security.html
“In Apache Log4j2 versions up to and including 2.14.1 (excluding security release 2.12.2), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
Speaking in more plain language, an attacker can instruct the system to download and subsequently execute a malicious payload by submitting a specially crafted request to a vulnerable system.
What makes it worse is that after the public release of the PoC (Proof of Concept) of the exploit, everybody in the business realized it is in fact an easy exploit. Another thing to mention is the fact that Java is so widely spread and used within our products, making the identification, validation for vulnerability and patching an extremely time-consuming process, while the majority of internet baddies can fastly scan and execute the ready exploit.
PaloAlto Networks products affected by Log4j
Quote from Palo Alto Unit 42: Due to its recent discovery, there are still many on-premises and cloud servers that have yet to be patched. The exploit code for the CVE-2021-44228 vulnerability has been made publicly available, and massive scanning activity has begun on the internet with the intent of seeking out and exploiting unpatched systems.
Even if you’re not an Apache Log4j user, it’s still likely that one of your partners, customers or suppliers uses software that includes the vulnerable component
Affected Palo Alto Networks Products:
The Firewalls themselves are not affected but the Panorama Manager is. At first, Palo Alto did not find the Panorama product directly vulnerable but further scrutiny found that one component, the Elastic Search, inside the 9.1 and 10.0 trains of PAN OS, was in fact vulnerable.
If you are running 9.1 or 10.0 in your environment, there is an urgent hotfix available – 10.0.8-h8 and 9.1.12-h3. Furthermore, the Elastic Search is a component of the Log Collector feature of Panorama, so all Panoramas in the mentioned PAN OS аре vulnerable, that run in Panorama (MGMT+Log Collector) or Log Collector mode, however most implementation around the world are using this type of configuration due to the added benefits of lowering the amount of panorama devices needed.
Quote from Palo Alto:
We have determined that some configurations of Panorama appliances with PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 are impacted by CVE-2021-44228 and CVE-2021-45046 through the use of Elasticsearch. Fixes were released on December 20, 2021 to address both vulnerabilities on impacted PAN-OS versions. Panorama appliances are not impacted by CVE-2021-45105.
NOTE: PAN-OS 8.1 and PAN-OS 10.1 versions for Panorama are not impacted by these issues. All versions of PAN-OS for firewalls and WildFire appliances are not affected.
Product Status (PA)
Versions | Affected | Unaffected |
WildFire Cloud | None | all |
WildFire Appliance | None | all |
User-ID Agent | None | all |
SaaS Security | None | all |
Prisma SD-WAN (CloudGenix) | None | all |
Prisma Cloud Compute | None | all |
Prisma Cloud | None | all |
Prisma Access | None | all |
PAN-OS for Panorama | < 9.0.15, < 10.0.8-h8, < 9.1.12-h3 | 8.1.*, 10.1.*, >= 9.0.15, >= 10.0.8-h8, >= 9.1.12-h3 |
PAN-OS for Firewall and Wildfire | None | all |
PAN-DB Private Cloud | None | all |
Okyo Garde | None | all |
IoT Security | None | all |
GlobalProtect App | None | all |
Expedition | None | all |
Exact Data Matching CLI | < 1.2 | >= 1.2 |
Enterprise Data Loss Prevention | None | all |
Cortex XSOAR | None | all |
Cortex Xpanse | None | all |
Cortex XDR Agent | None | all |
Cortex Data Lake | None | all |
Bridgecrew | None | all |
My network is affected, how do I patch?
Ask your managed services provider to do it, or contact a consultancy company.
Conclusion:
It is not an easy track all security vulnerabilities, to know what to patch, when to patch and how to react each time a new one comes out (which is in fact quite often these days).
AFS team is here to help, this is our expertise and we will be happy to help anyone seeking consultation, advice, quick check, or patching. Just contact us!
Reference links:
https://start.paloaltonetworks.com/apache-log4j-threat-update.html
https://www.paloaltonetworks.com/blog/2021/12/defense-for-apache-log4j/
https://security.paloaltonetworks.com/CVE-2021-44228
No Comments