{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2021-071.pdf" }, "title": "UPDATE: Palo Alto Critical Vulnerability", "serial_number": "2021-071", "publish_date": "16-12-2021 15:43:00", "description": "On December 16th, Palo Alto updated its advisory related to CVE-2021-44228 affecting PAN-OS for Panorama. While this CVE affects the Java logging library \"log4j\", all products using this library are vulnerable at least to Unauthenticated Remote Code Execution.
On December 17th, Palo Alto included in its advisory the Exact Data Matching CLI to the list of the affected products.
On December 21st, Palo Alto released fixes for various versions of its products.", "url_title": "2021-071", "content_markdown": "---\ntitle: 'Palo Alto Critical\u00a0Vulnerability'\nversion: '1.1'\nnumber: '2021-071'\ndate: 'December 21, 2021'\n---\n\n_History:_\n\n* _16/12/2021 --- v1.0 -- Initial publication_\n* _21/12/2021 --- v1.1 -- Update PaloAlto affected products and recommendations_\n\n# Summary\n\nOn December 16th, Palo Alto updated its advisory related to CVE-2021-44228 affecting PAN-OS for Panorama [1]. While this CVE affects the Java logging library `log4j` [1], all products using this library are vulnerable _at least_ to Unauthenticated Remote Code Execution [2].\n\nOn December 17th, Palo Alto included in its advisory the Exact Data Matching CLI to the list of the affected products.\n\nOn December 21st, Palo Alto released fixes for various versions of its products.\n\n# Technical Details\n\nThe vulnerability exists in the Java logging library log4j. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [2]. This issue is due to ElasticSearch included in vulnerable version of PAN-OS, which uses log4j library.\n\nPanorama hardwares and virtual appliances are vulnerable only if running in _Panorama mode_ or _Log Collector mode_ as part of a Collector group. To determine if the Panorama appliance is part of a Collector group, from the web interface, go to _Panorama_ -> _Manage Collectors_.\n\n# Affected products\n\n- PAN-OS for Panorama versions `<9.0.15`, `<10.0.8-h8`, and `<9.1.12-h3`\n- Exact Data Matching CLI versions `<1.2`\n\n# Recommendations\n\nPalo Alto recommends upgrading the Panorama appliance to the latest fixed release (versions `>=9.0.15`, `>=10.0.8-h8`, or `>=9.1.12-h3`). Palo Alto also recommends upgrading Exact Data Matching CLI to the version 1.2 or higher. \n\nNotes:\n\n- PAN-OS `8.1.*` for Panorama is not vulnerable\n- PAN-OS `10.1.*` for Panorama is not vulnerable\n\n## Workarounds and Mitigations\n\nAs a workaround, Palo Alto recommends to remove the Panorama appliance from any Collector groups, from the web interface _Panorama_ -> _Manage Collectors_. Once restarted, it stops using ElasticSearch which eliminates the exposure to CVE-2021-44228.\n\nAs mitigation, Palo Alto also recommends to use ACLs to limit the network access to Panorama to only trusted users, networks and IP addresses. To do so, use App-ID for `ldap` and `rmi-iiop` to block all LDAP and RMI from untrusted networks or unexpected sources.\n\n# References\n\n[1] \n\n[2] \n", "content_html": "

History:

Summary

On December 16th, Palo Alto updated its advisory related to CVE-2021-44228 affecting PAN-OS for Panorama [1]. While this CVE affects the Java logging library log4j [1], all products using this library are vulnerable at least to Unauthenticated Remote Code Execution [2].

On December 17th, Palo Alto included in its advisory the Exact Data Matching CLI to the list of the affected products.

On December 21st, Palo Alto released fixes for various versions of its products.

Technical Details

The vulnerability exists in the Java logging library log4j. An unauthenticated remote attacker might exploit this vulnerability by sending specially crafted content to the application to execute malicious code on the server [2]. This issue is due to ElasticSearch included in vulnerable version of PAN-OS, which uses log4j library.

Panorama hardwares and virtual appliances are vulnerable only if running in Panorama mode or Log Collector mode as part of a Collector group. To determine if the Panorama appliance is part of a Collector group, from the web interface, go to Panorama -> Manage Collectors.

Affected products

Recommendations

Palo Alto recommends upgrading the Panorama appliance to the latest fixed release (versions >=9.0.15, >=10.0.8-h8, or >=9.1.12-h3). Palo Alto also recommends upgrading Exact Data Matching CLI to the version 1.2 or higher.

Notes:

Workarounds and Mitigations

As a workaround, Palo Alto recommends to remove the Panorama appliance from any Collector groups, from the web interface Panorama -> Manage Collectors. Once restarted, it stops using ElasticSearch which eliminates the exposure to CVE-2021-44228.

As mitigation, Palo Alto also recommends to use ACLs to limit the network access to Panorama to only trusted users, networks and IP addresses. To do so, use App-ID for ldap and rmi-iiop to block all LDAP and RMI from untrusted networks or unexpected sources.

References

[1] https://security.paloaltonetworks.com/CVE-2021-44228

[2] https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-067.pdf

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }