Technical Tip: Using FortiSIEM to detect Apache Commons Text Interpolation Remote Code Execution | CVE-2022-42889

This article describes how to use custom Rules in FortiSIEM to perform an incident response to attacks that attempt to leverage the Apache Commons Text Interpolation Remote Code Execution vulnerability. A report is also provided to gain historical visibility into the logs.

This article applies to FortiSIEM.

The Rules and Reports leverage logs from other FortiNet products that can be used to detect the attack in addition to FortiGate logs.

For more information about this attack, see the following Outbreak Alert:

https://fortiguard.fortinet.com/outbreak-alert/apache-commons-text-rce

1) Download Fortinet_FortiSIEM_CVE-2022-42889.zip, which is attached to this article.

The following items are included in the .zip archive:


- A FortiSIEM Rule to help with detection.


- A FortiSIEM Report to help with historical reporting.

2) Import the Reports from FortiSIEM_CVE-2022-42889_Reports_v1.xml:

- Navigate to Resource/Reports.


- It is recommended to create a new group under Resource/Reports/Security called ‘FortiSIEM Apache CVE-2022-42889’ and import reports to this group.
- Select the Import option under More.


- Select FortiSIEM_Apache_CVE-2022-42889_Reports_v1.xml and import it.

3) Import the Rules from FortiSIEM_Apache_CVE-2022-42889_Rules_v1.xml:


- Navigate to Resource/Rules.


- It is recommended to create a new group under Resource/Rules/Security/Threat Hunting/ called 'FortiSIEM Apache

 CVE-2022-42889 Rules’ and import the rules to this group.

- Select the Import.
- Select FortiSIEM_Apache_CVE-2022-42889_Rules.xml and import it.


FortiSIEM provides content packs for easy installation of these Rules and Reports.