Apache log4j2 log messages substitution (CVE-2021-44228) Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-21-245 Final 1 1 2021-12-12T00:00:00 Current version 2021-12-12T00:00:00 2021-12-12T00:00:00 Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228). Execute unauthorized code or commands The following products are NOT impacted:FortiOS (includes FortiGate & FortiWiFi)FortiAnalyzerFortiManagerFortiAPFortiAuthenticatorFortiDeceptorFortiMailFortiVoiceFortiRecorderFortiSwitch & FortiSwitchManagerFortiAnalyzer CloudFortiManager CloudFortiGate CloudFortiWeb CloudFortiGSLB CloudFortiToken CloudFortiPhish CloudFortiSwicth Cloud in FortiLANCloudFortiEDR AgentFortiNACThe following products are impacted and fixes are being worked on. This advisory will be updated as soon as ETAs are available.FortiAnalyzer-BigDataFortiSIEMFortiCASBFortiPortalFortiNACFortiConvertorFortiAIOpsFortiPolicyShieldXFortiSOARFortiEDR Cloud Please upgrade to FortiPortal version 6.0.9 or abovePlease upgrade to FortiSIEM version 6.0.5 or abovePlease upgrade to FortiAIOps version 1.0.3 or abovePlease upgrade to FortiAnalyzer-BigData version 7.2.3 or abovePlease upgrade to FortiPolicy version 7.2.0 or aboveFixed from FortiLANCloud 22.1Fixed from FortiConverter Service Portal 21.4Fixed from FortiCASB 22.1For full details of protections and detections for the IoCs related to this vulnerability, please see the https://www.fortiguard.com/outbreak-alert/log4j2-vulnerabilityIPS Signature protection (FortiOS)Fortinet have released IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215). Please note that, since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need.Web Application Firewall (FortiWeb & FortiWeb Cloud)Web Application signatures to prevent this vulnerability were added in database 0.00301 and have been updated in the latest release 0.00305 for additional coverage https://fortiguard.fortinet.com/psirt/FG-IR-21-245 Apache log4j2 log messages substitution (CVE-2021-44228) https://logging.apache.org/log4j/2.x/security.html https://logging.apache.org/log4j/2.x/security.html CVE-2021-44228 CVE-2021-44832 CVE-2021-45105 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:X/RC:X https://fortiguard.fortinet.com/psirt/FG-IR-21-245 Apache log4j2 log messages substitution (CVE-2021-44228) Reference> https://logging.apache.org/log4j/2.x/security.html https://logging.apache.org/log4j/2.x/security.html