How to Confirm Coverage for CVE-2021-44228 (Apache Log4j Vulnerability) in Prisma Cloud Compute?
14696
Created On 12/13/21 08:04 AM - Last Modified 01/19/22 04:39 AM
Objective
- How to Confirm Coverage for CVE-2021-44228 (Apache Log4j Vulnerability) in Prisma Cloud Compute?
Environment
- Prisma Cloud Compute
Procedure
- Prisma Cloud Intelligence Stream feed has been updated with CVE-2021-44228.
- It can now be seen in the Prisma Cloud Compute Console under "CVE Viewer" (Prisma Cloud vulnerability database) Tab.
- The impact of this vulnerability can also be surveyed across your environment by leveraging the "Vulnerability explorer" Tab.
To review the Coverage, Go to Monitor > Vulnerabilities > CVE Viewer > Input "CVE-2021-44228".
To review the Impact, Go to Monitor > Vulnerabilities > Vulnerability explorer > Input "CVE-2021-44228".
If Prisma Cloud Enterprise Edition (SaaS) Console:
To review the Coverage, Go to Compute > Monitor > Vulnerabilities > CVE Viewer > Input "CVE-2021-44228".
To review the Impact, Go to Compute > Monitor > Vulnerabilities > Vulnerability explorer > Input "CVE-2021-44228".
NOTE:
- Once vendors assess their own level of exposure, perform their analysis and issue advisories, they publish those attack responses in their own security feeds, which then flows into our Intelligence Stream followed by Prisma Cloud Console.
- It is recommended to remove any Custom Feed Rules added for this vulnerability, to receive the best results for your environment.
Additional Information
Are Prisma Cloud and Prisma Cloud Compute affected?
- Prisma Cloud and Prisma Cloud Compute are not affected by CVE-2021-44228 : Palo Alto Networks Security Advisories : CVE-2021-44228.
Why different results may be found in Vulnerability Report while scanning Images for CVE-2021-44228?
- When scanning Images for CVE-2021-44228, results might fluctuate despite no additions or deletions of new images.
- For Example, sometimes the number of Images vulnerable to CVE-2021-44228 are found to be 100, while in the next scan, the value is 130.
- This is expected behaviour because, Prisma Cloud Intelligence Stream (IS) is a real-time feed that contains vulnerability data and threat intelligence from commercial providers.
- The IS is updated several times in a day while the Console is continuously monitoring it.
- Since all images are scanned against IS feeds, if any changes are made by the OS vendor, the changes will reflect in the reports accordingly.
- Since CVE-2021-44228 is a Zero-day Vulnerability, all vendors continue to analyse and publish those attack responses in their own security feeds, which then flows into our Intelligence Stream followed by Prisma Cloud Console.
What Next?
- To understand how to Query your Environment for Hosts with this Risk using Prisma Cloud’s RQL, refer : CVE-2021-44228 Mitigations
- The CVE-2021-44228 vulnerability continues to be actively investigated in order to properly identify the full scope severity.
- Given the information currently available, this vulnerability may have a high impact at present and in the future.
- Most of the applications being affected are widely used in corporate networks as well as home networks.
- Users are encouraged to take all necessary steps to ensure they are protected against this vulnerability, as outlined in the 'Conclusion' section here : Unit 42 blog.
- For more information on the CVE-2021-44228, refer : NVD - CVE-2021-44228.