FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
FSM_FTNT
Staff
Staff
Description

This article discusses the Apache log4j Vulnerability's effect on FortiSIEM. 

 

This note specifies the steps needed to mitigate this vulnerability without upgrading Apache log4j to version 2.16 or higher. It also notes a FortiSIEM upgrade path.

Scope

FortiSIEM 6.3.2 and earlier, 5.2.5 through 5.4.0

Solution

This KB will be updated if additional mitigation steps are required. If previous KB steps were applied as mitigation, they can remain in place, however the below steps should be followed in addition.

 

Follow the mitigation steps in the known issues links published for each version of FortiSIEM.

 

(Note that FortiSIEM version 6.3.3 includes a patched version of log4j that includes fixes for this vulnerability.)

 

FortiSIEM Version Link to Mitigation
6.1.0 https://docs.fortinet.com/document/fortisiem/6.1.0/release-notes/441737/whats-new-in-6-1-0#Known_Iss...
6.1.1 https://docs.fortinet.com/document/fortisiem/6.1.1/release-notes/965243/whats-new-in-6-1-1#Known_Iss...
6.1.2 https://docs.fortinet.com/document/fortisiem/6.1.2/release-notes/498610/whats-new-in-6-1-2#Known_Iss...
6.2.0 https://docs.fortinet.com/document/fortisiem/6.2.0/release-notes/498610/new-features#Known
6.2.1 https://docs.fortinet.com/document/fortisiem/6.2.1/release-notes/498610/whats-new-in-6-2-1#Known2
6.3.0 https://docs.fortinet.com/document/fortisiem/6.3.0/release-notes/498610/whats-new-in-6-3-0#Known
6.3.1 https://docs.fortinet.com/document/fortisiem/6.3.1/release-notes/330225/whats-new-in-6-3-1#Known
6.3.2 https://docs.fortinet.com/document/fortisiem/6.3.2/release-notes/803208/whats-new-in-6-3-2#Known
5.2.6 https://docs.fortinet.com/document/fortisiem/5.2.6/release-notes/760862/whats-new-in-5-2-6#Known
5.2.7 https://docs.fortinet.com/document/fortisiem/5.2.7/release-notes/760862/whats-new-in-5-2-7#Known
5.2.8 https://docs.fortinet.com/document/fortisiem/5.2.8/release-notes/760862/whats-new-in-5-2-8#Known
5.3.0 https://docs.fortinet.com/document/fortisiem/5.3.0/release-notes/760862/whats-new-in-5-3-0#Known
5.3.1 https://docs.fortinet.com/document/fortisiem/5.3.1/release-notes/760862/whats-new-in-5-3-1#Known
5.3.2 https://docs.fortinet.com/document/fortisiem/5.3.2/release-notes/760862/whats-new-in-5-3-2#Known
5.3.3 https://docs.fortinet.com/document/fortisiem/5.3.3/release-notes/760862/whats-new-in-5-3-3#Known_Iss...
5.4.0 https://docs.fortinet.com/document/fortisiem/5.4.0/release-notes/308906/whats-new-in-5-4-0#New

Three FortiSIEM modules (SVNLite, phFortiInsightAI and 3rd party ThreatConnect SDK) use Apache log4j version 2.14, 2.13 and 2.8 respectively for logging purposes, and hence are vulnerable to the recently discovered Remote Code Execution vulnerability (CVE-2021-44228).

 

These instructions specify the steps needed to mitigate this vulnerability without upgrading Apache log4j to the latest stable version 2.16 or higher. Actions need to be taken on the Supervisor  and Worker nodes only.