FortiWeb - Incorrect handling of large requests leads to denial of service

Summary

An uncontrolled resource consumption vulnerability [CWE-400] in FortiWeb may allow an unauthenticated attacker to cause a Denial of Service to the FortiWeb's HTTP daemon via sending a large amount of crafted HTTP requests.

Affected Products

FortiWeb version 6.4.1 and below.
FortiWeb version 6.3.15 and below.
FortiWeb version 6.2.5 and below.

Solutions

Upgrade to the upcoming FortiWeb version 7.0.0 or above.

Upgrade to FortiWeb version 6.4.2 or above.

Upgrade to FortiWeb version 6.3.16 or above.

Upgrade to FortiWeb version 6.2.6 or above.

Acknowledgement

Internally discovered and reported by Mattia Fecit of Fortinet Product Security team.