Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ivar
New Contributor

CVE-2021-44228 Apache LOG4J vulnerability

Would appreciate a response from Fortinet regarding the Apache log4 vulnerability if any Fortinet product

is affected.

 

Any information regarding updated IPS signature for CVE-2021-44228?

1 Solution
Carl_Windsor_FTNT

PSIRT advisory on impacted products can be found here:

 

https://www.fortiguard.com/psirt/FG-IR-21-245

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

44 REPLIES 44
Cantona_deux

where are you finding the signature ? "Then search the log4j signature and click add to signature." I cannot find the syntax for this ? 

AlexC-FTNT

AlexCFTNT_0-1639301416735.png

make sure your IPS version is updated to the latest version:

AlexCFTNT_1-1639301468275.png

If not, perform the update first

 

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
patelj

Run exec update-now and verify if the IPS attack definition is on 19.00215. This will include the signature and then have to set the action to 'block' manually.

Since this was the emergency release, default action is still pass.

Jay Patel
Mugato

Make sure you've updated your signatures. Edit the sensor (ex all_default), under IPS signatures and filters, +Create New, click "Signature", action drop down Block, Enable, and then in the search type Log4. Click on it and add selected. Did I do that right?

Eric1101

Thank you that did the trick!

Dubos
New Contributor III

I've already done that. You need to click the "Add Signatures" button in the "Security profiles" section and in the "Instruction Protection" tab, then a window opens with a list of all signatures and you search for "log4j" in the search, click on its line and then add it with the "Use Selected Signatures" button. After that, it will appear in your table of added signatures and by right-clicking on its row you will open a list of applicable functions, including blocking.

With respect,

Daniil Dubosarskij

cit.rkomi.ru

With respect, Daniil Dubosarskij cit.rkomi.ru
AlexC-FTNT

Just like shown here:


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
hyperspd7

Running Fortigate fortiOS 6.2.9 and IPS engine Version 5.00245 and definitions Version 19.00215, the signature is there. As previously stated,  I had to set the action to block as the default is default and the default for the signature is pass. It was not greyed our for me.

ede_pfau
Esteemed Contributor III

Does anybody (...from FTNT) know whether FortiADC is affected? If so, is any firmware version patched? In https://www.fortiguard.com/psirt/FG-IR-21-245, FortiADC is mentioned neither in "affected" nor in "not affected" section.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
aaandy
New Contributor

i noticed handful CVEs are set to pass in default including log4j. Aren't CVEs especially critical supposed to be blocked in default? 

i just set all above medium to be blocked. what is the impact if i set all CVEs blocked?

Labels
Top Kudoed Authors