Log4j2 Remote Code Execution Vulnerability aka Log4Shell (CVE-2021-44228)
On 9 December 2021, researchers disclosed a critical, unauthenticated remote code execution (RCE) vulnerability in log4j2, a popular and widely-used logging library for Java applications. An attacker could exploit this vulnerability to run untrusted code on vulnerable systems.
There are several mitigating factors, including the version of Java the application uses with JDK versions newer than 6u11, 7u201, 8u191 and 11.0.1 not affected by the common and trivial LDAP attack vector. Additionally, log4j2 implementations that have explicitly disabled JNDI lookups are not vulnerable.
After a thorough analysis, WatchGuard has determined that none of its products and services are vulnerable to the trivial LDAP attack vector. Some services and service middleware were found to run a vulnerable version of log4j2 but paired with a non-vulnerable JDK version. We have proactively patched these services and have found no evidence of successful exploits against these services.
For more information, see this Secplicity blog post.
Update 1 –
After review, no WatchGuard products or services are vulnerable to the recently upgraded vulnerability CVE-2021-45046. This vulnerability requires a non-default configuration that no WatchGuard product or service has in use. Regardless, we have updated our services out of an abundance of caution.
Update 2 –
Researchers recently discovered and disclosed CVE-2021-4104, a remote code execution vulnerability in the older Log4j 1.2 release. This vulnerability requires a non-default configuration with the JMSAppender module enabled. While WatchGuard System Manager uses a vulnerable version of Log4j 1.2, it does not use the JMSAppender module and is not vulnerable to this exploit. WatchGuard does not use Log4j 1.2 in any other product or service.
Firebox Appliances, Wireless APs and Dimension
All WatchGuard Firebox appliances, all wireless AP models, WatchGuard System Manager, and Dimension are not affected by this vulnerability. The version of log4j used in WSM (and each Firebox appliance) is lower than the version affected by CVE-2021-44228 and is not vulnerable to this exploit. Wireless access points do not use log4j or log4j2. Dimension does not use log4j or log4j2.
Wi-Fi Cloud Discover and Manage services were updated on 12 December 2021 and are not vulnerable to this exploit. Wi-Fi Cloud APs are not affected by this vulnerability.
Several WatchGuard Cloud components were running a vulnerable version of log4j2 but use a JDK version that is not vulnerable to the common LDAP attack vector. We have updated these components out of an abundance of caution and have found no evidence of successful attacks.
- Threat Detection and Response
- Wi-Fi in WatchGuard Cloud
For Threat Detection and Response, we released an updated version of AD Helper (v22.214.171.12464) on 10 December 2021. In addition, on 27 January 2022, we released TDR and AD Helper (v126.96.36.19914) that updates Log4j to v2.17.1. If AD Helper Auto-Update is enabled in the TDR settings, AD Helper updates automatically when a new version is available. To update AD Helper manually, see Install and Configure AD Helper.
WatchGuard EPDR and Panda AD360
WatchGuard EPDR and Panda AD360 are not affected by this vulnerability.
Firebox Intrusion Prevention Service
The Firebox Intrusion Prevention Service (IPS) has signatures that detect and block these attacks: 1230268 WEB Apache log4j Remote Code Execution -1.u (CVE-2021-44228) 1230269 WEB Apache log4j Remote Code Execution -1.h (CVE-2021-44228) 1230274 WEB Apache log4j Remote Code Execution -2.u (CVE-2021-44228) 1230275 WEB Apache log4j Remote Code Execution -1.h (CVE-2021-44228)
Update the IPS signatures on your Firebox to signature set v4.1232 or v18.188. For more information, see WatchGuard Help Center.
For more information about specific IPS signatures, see the WatchGuard Security Portal.
Note: The signature set your Firebox uses depends on the model and Fireware version. For more information, see https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3E5SAI&lang=en_US.
WatchGuard Endpoint Security
If you have WatchGuard Endpoint Security products (WatchGuard EPP, WatchGuard EDR, or WatchGuard EPDR), you can initiate an on-demand scan of all Windows, macOS, and Linux computers in your company.
Note: We recommend that you launch the scan during off-peak hours. Although scans have low priority to minimize consumption, there could be a slight impact on computer or server performance.
To start a scan of a group of computers, on the Computers page:
- From the top navigation bar, select Computers
- From the left pane, select the My Organization tab.
- Next to the computer or group of computers you want to scan, click more options.
- Select Scan Now.
- The Select the Type of Scan dialog box opens. To scan critical areas for active viruses, select Critical areas. You can also select to scan the Entire computer. This can take several hours to complete. Click OK. The scan starts on all computers and subgroups in the group.
The scan will detect software affected by the Log4j2 vulnerability. The results display in the Threats Detected by Antivirus tile on the Security dashboard.
To identify the affected computers: Open the Status > Security dashboard. Click the Threats Detected by Antivirus tile. In the Malware Activity list, select an affected computer and review the threats and recommended actions. If the Log4j2 is identified, update the Log4j2 component immediately.
Note: If you maintain a Java application that uses log4j2, you should immediately update to 2.15.0 and make sure JNDI lookups are disabled. Set the JVM flag “log4j2.formatMsgNoLookups” to “true” to mitigate the vulnerability. There are additional partial mitigations depending on which version of JDK you are running. For example, JDK versions greater than 6u11, 7u201, 8u191 and 11.0.1 are not affected by the LDAP attack vector but could still be attacked by loading in-app classes.
Note: If you have the WatchGuard Patch Management module, make sure that the CVE-2021-44228 vulnerability is not found on your computers or servers and patch any affected computers as soon as possible. For more information, See Available Patches.