Apache Zero Day Vulnerability Response – Original Notice

Published December 10, 2021

Integration Partners wants to make you aware of a recently identified critical vulnerability (CVE-2021-44228) that impacts Apache’s log4j Java Library. This vulnerability is being actively exploited in version of log4j prior to 2.15.0. 

Applications should be patched and log4j should be updated to 2.15.0 as soon as possible. If your application cannot be patched, this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath. 

We are seeing reports that a lot of exploit traffic coming from Tor exit nodes. If you run a Palo Alto Networks firewall, they have an ‘External Dynamic List’ (EDL) named ‘Palo Alto Networks – Tor exit IP addresses’. You can create a policy denying all traffic from that group which will deny access from Tor exit nodes. This list is curated by Palo Alto and updated regularly. 

 

 

Integration Partners recommends Palo Alto Next Generation Firewall customers with the Threat license increase dynamic update frequency to every hour. The best practice recommendation from Palo Alto has been every 24 hours, but they have been releasing updates for this vulnerability nearly every day since it was announced and depending on timing with a 24 hour update, that might get missed until the following day.  

On the firewall, “Device” along the top, then “Dynamic Updates” near the bottom on the left pane.  

Click the link for “Applications and Threat” schedule and change the “Recurrence” to Hourly. Click Ok and commit those changes.  

If you push the updates from Panorama, you can make the same changes on Panorama in the Panorama tab instead of the device tab. 

 

CVE-2021-44228 Information

Mitigation Information