PSIRT

Apache log4j2 log messages substitution (CVE-2021-44228)

Summary

Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228).

Affected Products

The following products are NOT impacted:

FortiOS (includes FortiGate & FortiWiFi)
FortiAnalyzer
FortiManager
FortiAP
FortiAuthenticator
FortiDeceptor
FortiMail
FortiVoice
FortiRecorder
FortiSwitch & FortiSwitchManager
FortiAnalyzer Cloud
FortiManager Cloud
FortiGate Cloud
FortiWeb Cloud
FortiGSLB Cloud
FortiToken Cloud
FortiPhish Cloud
FortiSwicth Cloud in FortiLANCloud
FortiEDR Agent
FortiNAC

The following products are impacted and fixes are being worked on. This advisory will be updated as soon as ETAs are available.

FortiAnalyzer-BigData
FortiSIEM
FortiCASB
FortiPortal
FortiNAC
FortiConvertor
FortiAIOps
FortiPolicy
ShieldX
FortiSOAR
FortiEDR Cloud

Solutions

Please upgrade to FortiPortal version 6.0.9 or above
Please upgrade to FortiSIEM version 6.0.5 or above
Please upgrade to FortiAIOps version 1.0.3 or above
Please upgrade to FortiAnalyzer-BigData version 7.2.3 or above
Please upgrade to FortiPolicy version 7.2.0 or above
Fixed from FortiLANCloud 22.1
Fixed from FortiConverter Service Portal 21.4
Fixed from FortiCASB 22.1

For full details of protections and detections for the IoCs related to this vulnerability, please see the

https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability

IPS Signature protection (FortiOS)

Fortinet have released IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215). Please note that, since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need.

Web Application Firewall (FortiWeb & FortiWeb Cloud)

Web Application signatures to prevent this vulnerability were added in database 0.00301 and have been updated in the latest release 0.00305 for additional coverage

References

https://logging.apache.org/log4j/2.x/security.html

IR Number	FG-IR-21-245
Date	Dec 12, 2021
Outbreak Alert	Log4j2 Vulnerability
Component	GUI
Severity	Critical
CVSSv3 Score	9.8
Impact	Execute unauthorized code or commands
CVE ID	CVE-2021-44228 CVE-2021-44832 CVE-2021-45105
CVRF	Download
Language

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

Apache log4j2 log messages substitution (CVE-2021-44228)

Summary

Affected Products

Solutions

IPS Signature protection (FortiOS)

Web Application Firewall (FortiWeb & FortiWeb Cloud)

References

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

Apache log4j2 log messages substitution (CVE-2021-44228)

Summary

Affected Products

Solutions

IPS Signature protection (FortiOS)

Web Application Firewall (FortiWeb & FortiWeb Cloud)

References

Threat Intelligence
Center