CVE-2021-44228 - Log4j RCE

Details
Content
Dependencies
Version History

This pack handles Apache Log4j RCE CVE-2021-44228, a 0-day exploit in the popular Java logging library log4j2.

This pack is part of the Rapid Breach Response pack.

Critical RCE Vulnerability: log4j - CVE-2021-44228 refers to a 0-day exploit in the popular Java logging library log4j2.

On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform.

On Dec. 14 2021, another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45046.

On Dec 18 2021, yet another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45105. The vulnerability allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

On Dec 28 2021, another RCE vulnerability was published for Apache Log4j2, versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4).
In order to exploit this vulnerability, an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

This pack will provide you with a first response kit which includes:

Hunting
Remediation
Mitigations

More information about the pack and how to use it, visit our Cortex XSOAR Developer Docs

More information about the vulnerability:
Apache Log4j Vulnerability Is Actively Exploited in the Wild

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2021-44228 - Log4j RCE

This pack is part of the Rapid Breach Response pack.

Critical RCE Vulnerability: log4j - CVE-2021-44228 refers to a 0-day exploit in the popular Java logging library log4j2.

On Dec. 14 2021, another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45046.

This pack will provide you with a first response kit which includes:

Hunting
Remediation
Mitigations

More information about the pack and how to use it, visit our Cortex XSIAM Developer Docs

More information about the vulnerability:
Apache Log4j Vulnerability Is Actively Exploited in the Wild

CVE-2021-44228 - Log4j RCE

Playbooks

Name	Description
CVE-2021-44228 - Log4j RCE	Critical RCE Vulnerability: log4j - CVE-2021-44228 On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. On Dec. 14 2021, another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45046. On Dec 18 2021, yet another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. On Dec 28 2021, another RCE vulnerability was published for Apache Log4j2, versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). In order to exploit this vulnerability, an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. Affected Version Apache Log4j 2.x <= 2.17.0 This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the CVE-2021-44228 - Log4j RCE playbook and Rapid Breach Response incident type. The playbook includes the following tasks: Collect related known indicators from several sources. Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. Search for possible vulnerable servers using Xpanse and Prisma Cloud. Block indicators automatically or manually. Mitigations:* Apache official CVE-2021-44228 patch. Unit42 recommended mitigations. Detection Rules. Snort Suricata Sigma Yara Zeek Intel More information: Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

CVE-2021-44228 - Log4j RCE

Critical RCE Vulnerability: log4j - CVE-2021-44228

On Dec. 14 2021, another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45046.

On Dec 18 2021, yet another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

Affected Version

Apache Log4j 2.x <= 2.17.0

This playbook should be triggered manually or can be configured as a job.
Please create a new incident and choose the CVE-2021-44228 - Log4j RCE playbook and Rapid Breach Response incident type.

The playbook includes the following tasks:

Collect related known indicators from several sources.
Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
*Search for possible vulnerable servers using Xpanse and Prisma Cloud.
Block indicators automatically or manually.

Mitigations:

Apache official CVE-2021-44228 patch.
Unit42 recommended mitigations.
Detection Rules.
- Snort
- Suricata
- Sigma
- Yara
- Zeek Intel

More information:
Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)

Playbooks

Name	Description
CVE-2021-44228 - Log4j RCE	Critical RCE Vulnerability: log4j - CVE-2021-44228 On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. On Dec. 14 2021, another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45046. On Dec 18 2021, yet another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. On Dec 28 2021, another RCE vulnerability was published for Apache Log4j2, versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). In order to exploit this vulnerability, an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. Affected Version Apache Log4j 2.x <= 2.17.0 This playbook should be triggered manually or can be configured as a job. Please create a new alert and choose the CVE-2021-44228 - Log4j RCE playbook and Rapid Breach Response alert type. The playbook includes the following tasks: Collect related known indicators from several sources. Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. Search for possible vulnerable servers using Xpanse and Prisma Cloud. Block indicators automatically or manually. Mitigations:* Apache official CVE-2021-44228 patch. Unit42 recommended mitigations. Detection Rules. Snort Suricata Sigma Yara Zeek Intel More information: Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

CVE-2021-44228 - Log4j RCE

Critical RCE Vulnerability: log4j - CVE-2021-44228

On Dec. 14 2021, another vulnerability was discovered related to the log4j 0-day exploit known as CVE-2021-45046.

Affected Version

Apache Log4j 2.x <= 2.17.0

This playbook should be triggered manually or can be configured as a job.
Please create a new alert and choose the CVE-2021-44228 - Log4j RCE playbook and Rapid Breach Response alert type.

The playbook includes the following tasks:

Collect related known indicators from several sources.
Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
*Search for possible vulnerable servers using Xpanse and Prisma Cloud.
Block indicators automatically or manually.

Mitigations:

Apache official CVE-2021-44228 patch.
Unit42 recommended mitigations.
Detection Rules.
- Snort
- Suricata
- Sigma
- Yara
- Zeek Intel

More information:
Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR

Optional Content Packs (8)

Pack Name	Pack By
Comprehensive Investigation by Palo Alto Networks	By: Cortex XSOAR
Prisma Cloud by Palo Alto Networks	By: Cortex XSOAR
Cortex Xpanse by Palo Alto Networks	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Splunk	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR

All level dependencies (13)

Pack Name	Pack By
Ransomware	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Base	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Cryptocurrency	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

1.0.14 - 5782177 (July 16, 2023)

Playbooks

CVE-2021-44228 - Log4j RCE

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added the AutoBlockIndicators input. This input determines whether to block the indicators automatically or manually using the Block Indicators - Generic v3 sub-playbook. (Available from Cortex XSOAR 6.5.0).
Added the UserVerification input. This input determines whether blocking IPs should be done with or without user verification. The IPs blocking is done by using the Block Indicators - Generic v3 sub-playbook. (Available from Cortex XSOAR 6.5.0)
Replaced sub-playbook Cortex XDR - Execute commands with new xdr-script-commands-execute command.
Added command prisma-cloud-config-search to replace soon to be EOL command redlock-get-rql-response. The command redlock-get-rql-response will reach its end of life (EOL) at: Nov 01, 2023, Please use the integration Prisma Cloud v2 instead.
Removed the PAN-OS - Block Domain - External Dynamic List sub-playbook. This playbook is deprecated and has reached its end of life (EOL) and is no longer supported.

Related pull requests:
- 26581

Download

1.0.13 - R5170573 (May 2, 2023)

Playbooks

CVE-2021-44228 - Log4j RCE

Fixes dependencies caused by unchecked skipifunavailable

Related pull requests:
- 25486

Download

1.0.12 - R4718798 (March 1, 2023)

Playbooks

CVE-2021-44228 - Log4j RCE

Fix for missing inputs: "SplunkLatestTime"

Related pull requests:
- 21883

Download

1.0.11 - R3917401 (October 26, 2022)

Playbooks

CVE-2021-44228 - Log4j RCE

Removed unaffected Fortinet devices from Xpanse issues list.

Related pull requests:
- 17162

Download

1.0.10 - 2233034 (January 10, 2022)

Playbooks

CVE-2021-44228 - Log4j RCE

Fix Splunk Indicator Hunting & Advance Hunting playbooks inputs.
Fix typo in Xpanse issues search

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	December 11, 2021
Last Release	July 16, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.