Created on 12-10-2021 03:13 PM Edited on 12-10-2021 04:40 PM
Created on 12-12-2021 09:40 PM Edited on 12-12-2021 09:41 PM
Created on 12-10-2021 08:43 PM
This Tennable blog post links to two good resources from GreyNoise and BadPackets for those that want to create their own IP block list while we wait for Fortinet engineers to wake up: https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-e...
Created on 12-11-2021 12:41 AM Edited on 12-11-2021 12:41 AM
haven't seen any official information on Fortinet products being affected. for any official Fortinet staff reading this please make that happen quickly.
the IPS signature is available:
default action is pass, so be sure to change that if you want it blocking.
I have tried following the instructions to change the default action to block, however it is greyed out as an option in my Fortigate 601E's. I also tried adding a custom signature entry, but when it comes to the vuln text context field, its unclear from the bulletins what I should be putting there to match the CVE-2021-44228 RCE.
Any help would be much appreciated.
Created on 12-11-2021 03:40 AM Edited on 12-11-2021 03:42 AM
For FortiWEB, a signature has been released to mitigate vulnerability reported under CVE-2021-44228 in WAF signature database version 0.00305 (https://www.fortiguard.com/updates/websecurity?version=0.00305). You could verify the version by issuing the following command:
get system upd-db-version | grep Waf
Waf Signature Version: 00000.00305
In case the signature database is not updated, please execute the following command to manually update:
# execute update fwdb
My fortigates pulled in the ips signature this morning. Default action is allow. Seems like a bug. Had to override change to deny.
Type = Signature
Action = Block
Status = enable.
Then search the log4j signature and click add to signature.
Move to the top of the signatures list.