12-21-2021 02:59 AM
Hello everyone,
I just upgraded our Panorama servers to 9.0.15, but our SOC team is asking to know the exact log4j version included in this hotfix release, because they want all appliances to be upgraded to log4j 2.16.
According to this page (https://docs.paloaltonetworks.com/oss-listings/panorama-oss-listings/panorama-9-0-open-source-softwa...), Panorama 9.0 includes log4j version 2.9.1, so I think that they have made some mitigations/corrections to the code or the configuration to fix the vulnerability, rather than upgrading log4j to a newer version.
Does anybody know more on this?
01-20-2022 06:43 AM
In fixed versions of PAN-OS for Panorama, the included Elasticsearch package was remediated through the deletion of the vulnerable Log4j JndiLookup class file. This solution is provided by Elasticsearch announcement (ESA-2021-31) and the Log4j Security Vulnerabilities Page as a complete remediation option for CVE-2021-44228 and CVE-2021-45046. Panorama appliances are not impacted by CVE-2021-45105 and require no specific fix.
01-20-2022 06:43 AM
In fixed versions of PAN-OS for Panorama, the included Elasticsearch package was remediated through the deletion of the vulnerable Log4j JndiLookup class file. This solution is provided by Elasticsearch announcement (ESA-2021-31) and the Log4j Security Vulnerabilities Page as a complete remediation option for CVE-2021-44228 and CVE-2021-45046. Panorama appliances are not impacted by CVE-2021-45105 and require no specific fix.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
