Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228).
See the Fortinet Blog for more more detail https://www.fortinet.com/blog/psirt-blogs/apache-log4j-vulnerability
The following products are NOT impacted:
FortiOS (includes FortiGate & FortiWiFi)
FortiSwitch & FortiSwitchManager
FortiSwicth Cloud in FortiLANCloud
The following products are impacted and fixes are being worked on. This advisory will be updated as soon as ETAa are available.
Please upgrade to FortiPortal version 6.0.9 or above
Please upgrade to FortiSIEM version 6.0.5 or above
Please upgrade to FortiAIOps version 1.0.3 or above
Please upgrade to FortiAnalyzer-BigData version 7.2.3 or above
Please upgrade to FortiPolicy version 7.2.0 or above
Fixed from FortiLANCloud 22.1
Fixed from FortiConverter Service Portal 21.4
Fixed from FortiCASB 22.1
For full details of protections and detections for the IoCs related to this vulnerability, please see the Log4j2 Vulnerability Outbreak Alert
IPS Signature protection (FortiOS)
Fortinet have released IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215),. Please note that, since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need.
Web Application Firewall (FortiWeb & FortiWeb Cloud)
Web Application signitures to prevent this vulnerability were added in database 0.00301 and have been updated in the latest release 0.00305 for additional coverage