New Member

Solved

CVE-2021-44228 Apache LOG4J vulnerability

Forum|Forum|4 years ago
December 10, 2021
15 replies
94706 views

Would appreciate a response from Fortinet regarding the Apache log4 vulnerability if any Fortinet product

is affected.

Any information regarding updated IPS signature for CVE-2021-44228?

Best answer by Carl_Windsor_FTNT

PSIRT advisory on impacted products can be found here:

https://www.fortiguard.com/psirt/FG-IR-21-245

Toast

Explorer

This Tennable blog post links to two good resources from GreyNoise and BadPackets for those that want to create their own IP block list while we wait for Fortinet engineers to wake up: https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerability

boneyard

Valued Contributor

haven't seen any official information on Fortinet products being affected. for any official Fortinet staff reading this please make that happen quickly.

the IPS signature is available:

https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability

https://www.fortiguard.com/encyclopedia/ips/51006

default action is pass, so be sure to change that if you want it blocking.

Eric1101

New Member

I have tried following the instructions to change the default action to block, however it is greyed out as an option in my Fortigate 601E's. I also tried adding a custom signature entry, but when it comes to the vuln text context field, its unclear from the bulletins what I should be putting there to match the CVE-2021-44228 RCE.

Any help would be much appreciated.

Thanks,

Eric

Deepak_Girimaji_FTNT

Staff

For FortiWEB, a signature has been released to mitigate vulnerability reported under CVE-2021-44228 in WAF signature database version 0.00305 (https://www.fortiguard.com/updates/websecurity?version=0.00305). You could verify the version by issuing the following command:
-------------------------------------
get system upd-db-version | grep Waf
Waf Signature Version: 00000.00305
-------------------------------------

In case the signature database is not updated, please execute the following command to manually update:

# execute update fwdb

indi81

New Member

Also, where is the signatures for FortiADC?

amreason

New Member

Deleted

Eric1101

New Member

How did you change the action to deny?

Thanks,

eric

aaandy

New Member

i noticed handful CVEs are set to pass in default including log4j. Aren't CVEs especially critical supposed to be blocked in default?

i just set all above medium to be blocked. what is the impact if i set all CVEs blocked?

AlexC-FTNT

Staff

The action is "Allow" for the moment, while undergoing extensive testing on our side in order to avoid false positives. Manually changing to "Block" should be done under supervision, monitoring valid traffic not to be blocked.

AlexC-FTNT

Staff

We have developed an IPS signature, Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature has been released in IPS package (version 19.215). Please note that this is an emergency release, so the default action for this signature is set to pass at the moment. If you want this blocked, please change the action in the IPS profile.

For protection against this vulnerability, make sure that the IPS definition version is the one above. You can verify in System > FortiGuard, where you can also trigger an automated update. Once updated, alter the ips profile and change the action for this signature to block.

indi81

New Member

So, is there any option to automatically set these as Action: block instead of the default Pass? It's the same story as with Hafnium.

I think the majority would prefer a smaller incident/faulty service before risking a major breach. Atleast give the option.

AlexC-FTNT

Staff

The option exists, but works the other way. I did not make this choice of default Action, but I understand it from a business-user perspective: a/any firewall should not block legitimate traffic from one day to the next just after some automated update. That may be difficult to isolate and cause revenue loss. The SysAdmin should be aware of the latest attacks and select the appropriate signature action - knowing that action may cause some false positives.

FnUser

New Member

Doesn't seems that signature is doing anything, don't see any violations on testing.

FnUser

New Member

Does it work for anybody?

indi81

New Member

Yes, but only for HTTP.

FnUser

New Member

what payload did you use for testing?

FnUser

New Member

All signatures updated and properly configured, still not getting triggered. I hope FN will look into it. I can trigger other ones, but not the ID51006