* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/)
* The Palo Alto Networks Fu...

# The Palo Alto Networks Full-Court Defense for Apache Log4j

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2021%2F12%2Fdefense-for-apache-log4j%2F)  
[](https://twitter.com/share?text=The+Palo+Alto+Networks+Full-Court+Defense+for+Apache+Log4j&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2021%2F12%2Fdefense-for-apache-log4j%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2021%2F12%2Fdefense-for-apache-log4j%2F&title=The+Palo+Alto+Networks+Full-Court+Defense+for+Apache+Log4j&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2021/12/defense-for-apache-log4j/&ts=markdown)  
\[\](mailto:?subject=The Palo Alto Networks Full-Court Defense for Apache Log4j)  
Link copied  
By [Ryan Olson](https://www.paloaltonetworks.com/blog/author/ryan-olson/?ts=markdown "Posts by Ryan Olson")  
Dec 13, 2021  
5 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Apache Log4J](https://www.paloaltonetworks.com/blog/tag/apache-log4j/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Cortex Xpanse](https://www.paloaltonetworks.com/blog/tag/cortex-xpanse/?ts=markdown)  
[cybersecurity](https://www.paloaltonetworks.com/blog/tag/cybersecurity/?ts=markdown)  
[NGFW](https://www.paloaltonetworks.com/blog/tag/ngfw/?ts=markdown)  
[Prisma Cloud](https://www.paloaltonetworks.com/blog/tag/prisma-cloud/?ts=markdown)  
[threat prevention](https://www.paloaltonetworks.com/blog/tag/threat-prevention/?ts=markdown)  
[Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/2022/01/defense-for-apache-log4j/?lang=ja "Switch to Japanese(日本語)")

The recent Apache Log4j vulnerabilities are a particularly pernicious problem for two reasons. First, Apache Log4j has a very large footprint as a back-end logging library that is incorporated into many widely-used, open sourced and internally developed applications used by enterprises around the world. Issues with Apache Log4j affect almost everyone. Second, remediation can take weeks. The best way to protect yourself is to upgrade to [the latest version](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/); however, that requires that you first know where every instance needs to be patched and second that Java 8 is installed. There are many reasons why customers may not be able to upgrade for days or weeks, including the big effort required to upgrade Java before applying this patch, the full test cycle needed before upgrading Log4j, so it doesn't break applications or year-end production freezes.

## **How Palo Alto Networks Protects Customers From the Apache Log4j Vulnerability**

Palo Alto Networks customers are protected from attacks exploiting the Apache Log4j remote code execution (RCE) vulnerability as outlined below. In addition, we offer a number of solutions to help identify affected applications and incident response if needed.

#### Blocking the Exploit

To give you time while your teams patch the vulnerabilities, Palo Alto Networks customers are protected by our Next-Generation Firewalls with an active Threat Prevention security service, Cortex XDR and Prisma Cloud:

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall) ([PA-Series](https://www.paloaltonetworks.com/network-security/next-generation-firewall), [VM-Series](https://www.paloaltonetworks.com/prisma/vm-series) and [CN-Series](https://www.paloaltonetworks.com/network-security/cn-series)) or [Prisma Access](https://www.paloaltonetworks.com/sase/access) with a [Threat Prevention](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention) security subscription can automatically block sessions related to this vulnerability. Customers already aligned with our security best practices gain automated protection against these attacks with no manual intervention. These signatures block the first stage of the attack. Customers should verify security profile best practices are applied to the relevant security policies and have critical vulnerabilities set to reset or default actions. Additionally, the Log4j RCE requires access to code hosted externally. Our Advanced URL Filtering security service is constantly monitoring and blocking new, unknown and known malicious domains (websites) to block those unsafe external connections. Also, suitable egress application filtering can be used to block the second stage of the attack. Use App-ID for 'ldap' and 'rmi-iiop' to block all RMI and LDAP to or from untrusted networks and unexpected sources. SSL decryption needs to be enabled on the firewall to block known attacks over HTTPS. Customers with log4j in their environments should upgrade or apply workarounds suggested by respective vendors and not rely only on the Threat Prevention signatures. Learn more about how the [NGFW with cloud-delivered security services](https://www.paloaltonetworks.com/blog/network-security/apache-log4j-vulnerability-ngfw/) can help protect against these vulnerabilities.
* Cortex XDR customers who are running Cortex XDR agent 7.0 and higher and content 290-78377 on Linux are protected from a full exploitation chain using the [Java Deserialization Exploit protection module](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/endpoint-protection-modules.html). Other Cortex XDR customers are protected against various observed payloads stemming from CVE-2021-44228 through Behavioral Threat Protection (BTP). Additionally, Cortex XDR Pro customers using Analytics will detect post-exploitation activities related to this vulnerability.
* Prisma Cloud customers with the Web Application and API Security module enabled running either Enterprise Edition or Compute Edition with the latest Console version (21.08.525, Update 2 and higher) can leverage a virtual patch for the CVE to actively identify and protect against exploitation. Users not running the latest version of Prisma Cloud can manually create and enable a custom rule in [Prevent mode](https://www.paloaltonetworks.com/blog/prisma-cloud/log-4-shell-vulnerability/).

#### Incident Scoping --- What Systems Need to Be Patched

Every time a new security vulnerability surfaces, a race begins between attackers and defenders to identify vulnerable systems. The question defenders need to answer is: What is my full inventory of affected assets? Here's how Palo Alto Networks can help provide this visibility:

* \*\*Prisma Cloud:\*\*Prisma Cloud Defender agents can detect whether any continuous integration (CI) project, container image, or host operating system maintains a vulnerable Log4j package or JAR file with a version equal to or older than 2.14.1.
* **Cortex XSOAR:** Cortex XSOAR has a playbook that automates much of the workflows. Download the "CVE-2021-44228 - Log4j RCE'' pack to automatically detect and prevent the vulnerability exploit across NGFW, Cortex XDR and SIEM products. Read more on the [XSOAR marketplace.](https://www.paloaltonetworks.com/blog/security-operations/automating-speeding-your-response-to-log4j-vulnerability/)
* **Cortex Xpanse** : Our external attack surface management product gives customers the ability to validate full asset inventory to easily consolidate vulnerability data and convey that a fix is needed.

#### Incident Response

If you think that you have an incident related to the Log4j vulnerability or simply need additional capacity to respond and remediate faster, Unit 42 can help. If you are concerned that you may have been impacted, you can [contact Unit 42](https://start.paloaltonetworks.com/contact-unit42.html) for a compromise assessment and incident response services. For detailed findings on the Log4j vulnerability, see [Unit 42's summary](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/).

## Lessons from Log4j

Even if you're not an Apache Log4j user, it's still likely that one of your partners, customers or suppliers uses software that includes the vulnerable component. This week's vulnerability demonstrates the fragility of our large, interdependent technical ecosystem. A well-known concept in supply chain is the bullwhip effect where unforeseen fluctuations in supply can cost an *individual* company more than actual market demand fluctuations. In cyber security, we're experiencing our own version of the bullwhip effect, only *everyone* is affected by infrastructure that makes a single vulnerability a global incident.

To stay on top of the latest Log4j analysis and mitigation, as well as the latest vulnerability updates, please continue checking the [Unit 42 blog](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/) or register for our threat intelligence briefings, [Unit 42 Briefing: Apache Log4j Threat Update](https://start.paloaltonetworks.com/apache-log4j-threat-update.html).

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Russia-Ukraine Cyber Activity Makes Security Best Practices Imperative](https://www.paloaltonetworks.com/blog/2022/03/russia-ukraine-cyber-activity-best-practices/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Unit 42 Discovers First Known Malware Targeting Windows Containers](https://www.paloaltonetworks.com/blog/2021/06/siloscape-malware-windows-containers/)

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Cortex XDR is the Only Endpoint Security Market Leader to Achieve 99% in Both Threat Prevention and Response in AVC EPR](https://www.paloaltonetworks.com/blog/security-operations/cortex-xdr-is-the-only-endpoint-security-market-leader-to-achieve-99-in-both-threat-prevention-and-response-in-avc-epr/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex - New Wave of Innovations in Cortex (June 2024 Release)](https://www.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-wave-of-innovations-in-cortex-june-2024-release/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Advancing Innovation and Harnessing AI to Secure the Homeland](https://www.paloaltonetworks.com/blog/2024/06/advancing-innovation-and-harnessing-ai/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### More on the PAN-OS CVE-2024-3400](https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language