Mitigating Apache Log4j (Log4Shell) Vulnerabilities

Overview

This topic describes the mitigation available for the recently identified log4j vulnerabilities, currently including the following:

Fixes for these vulnerabilities are being delivered as both a manual mitigation process for TOS Classic, and included in upcoming TOS Classic and TOS Aurora upgrades. The manual mitigation can be used to immediately mitigate the specified vulnerabilities without upgrading to a newer version of TOS Classic. The Scheduled Hotfix lets you wait until Tufin releases an upgrade that includes a fix for the specified vulnerabilities.

TOS Aurora

TOS Aurora R21-3

CVE Manual Mitigation
Without Requiring Upgrade
Scheduled Hotfix

CVE-2021-44228

  • Severity: Critical

  • Resolved in log4j 2.15.0

Not available

Resolved in TOS Aurora R21-3 PGA.1.0

CVE-2021-45046

  • Severity: updated from Low to Critical

  • Resolved in log4j 2.16.0

Not available

Resolved in TOS Aurora R21-3 PGA.1.0

CVE-2021-45105

  • Severity: High

  • Resolved in log4j 2.17.0

Not available

Resolved in TOS Aurora R21-3 PGA.1.0

CVE-2021-44832

  • Severity: Medium

  • Resolved in log4j 2.17.1

Not available

Resolved in TOS Aurora R21-3 PHF1.0.0

TOS Aurora R21-2

CVE Manual Mitigation
Without Requiring Upgrade
Scheduled Hotfix

CVE-2021-44228

  • Severity: Critical

  • Resolved in log4j 2.15.0

Not available

Resolved in TOS Aurora R21-2 PHF1.1.0

CVE-2021-45046

  • Severity: updated from Low to Critical

  • Resolved in log4j 2.16.0

Not available

Resolved in TOS Aurora R21-2 PHF1.1.0

CVE-2021-45105

  • Severity: High

  • Resolved in log4j 2.17.0

Not available

Resolved in TOS Aurora R21-2 PHF2.0.0

CVE-2021-44832

  • Severity: Medium

  • Resolved in log4j 2.17.1

Not available

Not planned.

Upgrade to a more recent version of TOS that includes this fix

TOS Aurora R21-1 or earlier

Upgrade to a supported TOS Aurora release that includes the CVE fix.

TOS Classic

TOS Classic R21-3

CVE Manual Mitigation
Without Requiring Upgrade
Scheduled Hotfix

CVE-2021-44228

  • Severity: Critical

  • Resolved in log4j 2.15.0

Resolved. See Implementing the CVE Manual Mitigation

Resolved in TOS Classic R21-3 GA

CVE-2021-45046

  • Severity: updated from Low to Critical

  • Resolved in log4j 2.16.0

Resolved. See Implementing the CVE Manual Mitigation

Resolved in TOS Classic R21-3 GA

CVE-2021-45105

  • Severity: High

  • Resolved in log4j 2.17.0

Not planned because severity is not Critical

Resolved in TOS Classic R21-3 GA

CVE-2021-44832

  • Severity: Medium

  • Resolved in log4j 2.17.1

Not planned because severity is Medium

Scheduled for TOS Classic R21-3 HF1 (February 2022)

TOS Classic R21-2

CVE Manual Mitigation
Without Requiring Upgrade
Scheduled Hotfix

CVE-2021-44228

  • Severity: Critical

  • Resolved in log4j 2.15.0

Resolved. See Implementing the CVE Manual Mitigation

Resolved in TOS Classic R21-2 HF2.1

CVE-2021-45046

  • Severity: updated from Low to Critical

  • Resolved in log4j 2.16.0

Resolved. See Implementing the CVE Manual Mitigation

Resolved in TOS Classic R21-2 HF2.1

CVE-2021-45105

  • Severity: High

  • Resolved in log4j 2.17.0

Not planned because severity is not Critical

Resolved in TOS Classic R21-2 HF3

CVE-2021-44832

  • Severity: Medium

  • Resolved in log4j 2.17.1

Not planned because severity is Medium

Not planned

Upgrade to a more recent version of TOS that includes this fix.

TOS Classic R21-1

CVE Manual Mitigation
Without Requiring Upgrade
Scheduled Hotfix

CVE-2021-44228

  • Severity: Critical

  • Resolved in log4j 2.15.0

Resolved. See Implementing the CVE Manual Mitigation Resolved in TOS Classic R21-1 HF4.1

CVE-2021-45046

  • Severity: updated from Low to Critical

  • Resolved in log4j 2.16.0

Resolved. See Implementing the CVE Manual Mitigation

Resolved in TOS Classic R21-1 HF4.1

CVE-2021-45105

  • Severity: High

  • Resolved in log4j 2.17.0

Not planned because severity is not Critical

Not planned.

Upgrade to a more recent version of TOS that includes this fix

CVE-2021-44832

  • Severity: Medium

  • Resolved in log4j 2.17.1

Not planned because severity is Medium

Not Planned

Upgrade to a more recent version of TOS that includes this fix

TOS Classic R20-2, R20-1, R19-3 (all versions)

CVE Manual Mitigation
Without Requiring Upgrade
Scheduled hotfix

CVE-2021-44228

  • Severity: Critical

  • Resolved in log4j 2.15.0

Resolved. See Implementing the CVE Manual Mitigation

Not planned.

Upgrade to a more recent version of TOS that includes this fix

CVE-2021-45046

  • Severity: updated from Low to Critical

  • Resolved in log4j 2.16.0

Resolved. See Implementing the CVE Manual Mitigation

Not planned.

Upgrade to a more recent version of TOS that includes this fix

CVE-2021-45105

  • Severity: High

  • Resolved in log4j 2.17.0

Not planned because severity is not Critical

Not planned.

Upgrade to a more recent version of TOS that includes this fix

CVE-2021-44832

  • Severity: Medium

  • Resolved in log4j 2.17.1

Not planned because severity is Medium

Not planned.

Upgrade to a more recent version of TOS that includes this fix

TOS Classic R19-2 or earlier

Upgrade to a supported TOS Classic release that includes the CVE fix or mitigation.