https://live.paloaltonetworks.com/t5/panorama-discussions/exact-log4j-version-on-panorama-9-0-15/m-p/459811#M664 <H4>Q. How was Log4j fixed in Panorama?</H4> <BLOCKQUOTE> <P>In fixed versions of PAN-OS for Panorama, the included Elasticsearch package was remediated through the deletion of the vulnerable Log4j JndiLookup class file. This solution is provided by Elasticsearch announcement (ESA-2021-31) and the Log4j Security Vulnerabilities Page as a complete remediation option for CVE-2021-44228 and CVE-2021-45046. Panorama appliances are not impacted by CVE-2021-45105 and require no specific fix.</P> </BLOCKQUOTE> Thu, 20 Jan 2022 14:43:16 GMT PerryPapanier 2022-01-20T14:43:16Z https://live.paloaltonetworks.com/t5/panorama-discussions/exact-log4j-version-on-panorama-9-0-15/m-p/454664#M585 <P>Hello everyone,</P> <P>&nbsp;</P> <P>I just upgraded our Panorama servers to 9.0.15, but our SOC team is asking to know the exact log4j version included in this hotfix release, because they want all appliances to be upgraded to log4j 2.16.</P> <P>&nbsp;</P> <P>According to this page (<A href="https://docs.paloaltonetworks.com/oss-listings/panorama-oss-listings/panorama-9-0-open-source-software-oss-listing.html#idcddd66f0-c26a-43e5-b143-e777cd4f4ca4" target="_blank">https://docs.paloaltonetworks.com/oss-listings/panorama-oss-listings/panorama-9-0-open-source-software-oss-listing.html#idcddd66f0-c26a-43e5-b143-e777cd4f4ca4</A>), Panorama 9.0 includes log4j version 2.9.1, so I think that they have made some mitigations/corrections to the code or the configuration to fix the vulnerability, rather than upgrading log4j to a newer version.</P> <P>&nbsp;</P> <P>Does anybody know more on this?</P> Tue, 21 Dec 2021 10:59:24 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/exact-log4j-version-on-panorama-9-0-15/m-p/454664#M585 grenzi 2021-12-21T10:59:24Z https://live.paloaltonetworks.com/t5/panorama-discussions/exact-log4j-version-on-panorama-9-0-15/m-p/459811#M664 <H4>Q. How was Log4j fixed in Panorama?</H4> <BLOCKQUOTE> <P>In fixed versions of PAN-OS for Panorama, the included Elasticsearch package was remediated through the deletion of the vulnerable Log4j JndiLookup class file. This solution is provided by Elasticsearch announcement (ESA-2021-31) and the Log4j Security Vulnerabilities Page as a complete remediation option for CVE-2021-44228 and CVE-2021-45046. Panorama appliances are not impacted by CVE-2021-45105 and require no specific fix.</P> </BLOCKQUOTE> Thu, 20 Jan 2022 14:43:16 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/exact-log4j-version-on-panorama-9-0-15/m-p/459811#M664 PerryPapanier 2022-01-20T14:43:16Z