Apache log4j2 log messages substitution (CVE-2021-44228)

Summary

Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228).

Affected Products

The following products are NOT impacted:
FortiOS (includes FortiGate & FortiWiFi)
FortiAnalyzer
FortiManager
FortiAP
FortiAuthenticator
FortiDeceptor
FortiMail
FortiVoice
FortiRecorder
FortiSwitch & FortiSwitchManager
FortiAnalyzer Cloud
FortiManager Cloud
FortiGate Cloud
FortiWeb Cloud
FortiGSLB Cloud
FortiToken Cloud
FortiPhish Cloud
FortiSwicth Cloud in FortiLANCloud
FortiEDR Agent
FortiNAC
The following products are impacted and fixes are being worked on. This advisory will be updated as soon as ETAs are available.
FortiAnalyzer-BigData
FortiSIEM
FortiCASB
FortiPortal
FortiNAC
FortiConvertor
FortiAIOps
FortiPolicy
ShieldX
FortiSOAR
FortiEDR Cloud

Solutions

Please upgrade to FortiPortal version 6.0.9 or above
Please upgrade to FortiSIEM version 6.0.5 or above
Please upgrade to FortiAIOps version 1.0.3 or above
Please upgrade to FortiAnalyzer-BigData version 7.2.3 or above
Please upgrade to FortiPolicy version 7.2.0 or above
Fixed from FortiLANCloud 22.1
Fixed from FortiConverter Service Portal 21.4
Fixed from FortiCASB 22.1
For full details of protections and detections for the IoCs related to this vulnerability, please see the
https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability
## IPS Signature protection (FortiOS)
Fortinet have released IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215). Please note that, since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need.
## Web Application Firewall (FortiWeb & FortiWeb Cloud)
Web Application signatures to prevent this vulnerability were added in database 0.00301 and have been updated in the latest release 0.00305 for additional coverage