Protect Your IoT Devices from Log4j 2 Vulnerability

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter

The Log4j 2 vulnerability allows a malicious user to inject data in request payloads via HTTP, TCP, and other protocols.The Log4j 2 vulnerability allows a malicious user to inject data in request payloads via HTTP, TCP, and other protocols.


Disclaimer: This threat is rapidly evolving by the hour. Unit 42 researchers are updating this Unit 42 blog in real time, and therefore the blog serves as our single source of truth. The information provided is for general informational purposes only. 

Updated: Dec 20, 2021


Vulnerability Overview 

Cybersecurity researchers have identified a vulnerability that affects the Apache Log4j 2 Java logging library, an open-source Java-based logging framework leveraged by countless Java applications around the world. This vulnerability, dubbed Log4Shell, affects Apache log4j version 2. The Apache log4j 2 library allows developers to log data within an application and is widely used in many popular ones, such as Apache Struts, ElasticSearch, and Kafka.


The Log4j 2 vulnerability allows a malicious user to inject data in request payloads via HTTP, TCP, and other protocols. The malicious payload is then logged by the Java library logging system. If the victim server is vulnerable to the Log4j 2 vulnerability (that is, if it's running a vulnerable version of Log4j 2), an attacker can trigger it to request payloads from another attacker-controlled server, such as an LDAP server. By inserting malicious code into these payloads on a server that's under the attacker's control, the attacker can get the victim server to fetch and execute arbitrary code. 



CVSS v3.1 Score (Severity)



10.0 (Critical)

This vulnerability targets Apache Log4j version 2 before 2.15-rc1. Apache released a new version of Log4j 2 to address this vulnerability.


9.0 (Critical)

It was discovered that Log4j 2.15-rc1, which Apache released to address CVE-2021-44228, was incomplete in certain non-default configurations. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.


7.5 (High)

Log4j 2.16.0, which Apache released to address CVE-2021-45046, did not protect against uncontrolled recursion from self-referential lookups. This allows an attacker to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0.

At the time of writing, we have observed multiple exploits of these vulnerabilities in the wild. Customers are recommended to upgrade to the latest version (2.17.0) of Apache Log4j 2 for all systems. For more details, read the Palo Alto Networks Unit42 research report.


Identification, Detection, and Remediation

Palo Alto Networks IoT Security helps identify IoT devices and IoT device management servers where CVE-2021-44228, CVE-2021-45046, or CVE-2021-45105 are being exploited based on specific indicators of compromise or behavior observed in network traffic. Using machine learning and AI, IoT Security leverages anonymized cross-tenant data to create device profiles and behavioral models. It then uses its patented anomaly-detection mechanisms to distinguish deviations from normal network behavior. Such deviations can include, for example, a sudden appearance of traffic from a new source, an unusually high number of connections, or an inexplicable surge of certain attributes appearing in IoT application payloads. Finally, IoT Security generates alerts to notify administrators of the detected anomalous or suspicious behavior, explains if it’s indicative of known vulnerabilities, calls out security implications, and suggests actions to take to remediate the threat.


When IoT Security determines the identity of an IoT device and specifically the libraries it uses, it can alert you if it’s running an affected Apache Log4j library. If so, it displays a vulnerability alert in the IoT Security portal so you can take further action, such as updating the device to a software patch that doesn’t use the vulnerable library.


In addition, wherever applicable, IoT Security can work with other Palo Alto Networks security products such as WildFire, DNS Security, and Threat Prevention to provide more comprehensive protection of your devices. For example, Threat Prevention has specific detections to identify the CVE exploits related to the Log4j 2 vulnerabilities. Once identified, Threat Prevention can block any attempts to exploit these vulnerabilities. 


If you find any device that is vulnerable to these CVEs or exhibiting anomalous behavior, or if you receive a security alert, consider taking the following actions:


  • Patch the device to use the latest version (2.17.0 or newer) of Apache Log4j.
  • If you are unable to update Log4j 2 version, the following mitigations are available: 
    • Remove JndiLookup.class from the classpath and restart the service
      zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Disable JNDI
    Set spring.jndi.ignore=true in the file
  • If you cannot patch your device or disable JNDI, take the following steps to minimize risk and keep your network safe:
    • Configure the vulnerable device to ensure it’s not accessible from the Internet. If Internet connectivity is necessary, limit the number of open ports on it to limit any backdoors.
    • Configure your network segments to ensure the vulnerable device is behind a firewall and isolated from guest and business networks.
    • Implement zero-trust network policies to protect any critical assets.
    • Block any anomalous IoT device traffic.
    • Quarantine any compromised device to stop attacks from spreading to other vulnerable devices in the same network segment.


For more information on Palo Alto Networks IoT Security, visit our website.


Register or Sign-in
Top Liked Authors