CVE-2021-44228 Apache LOG4J vulnerability

Ivar · ‎12-10-2021

Would appreciate a response from Fortinet regarding the Apache log4 vulnerability if any Fortinet product

is affected.

Any information regarding updated IPS signature for CVE-2021-44228?

Carl_Windsor_FTNT · ‎12-12-2021

PSIRT advisory on impacted products can be found here:

https://www.fortiguard.com/psirt/FG-IR-21-245

Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet

View solution in original post

Toast · ‎12-10-2021

This Tennable blog post links to two good resources from GreyNoise and BadPackets for those that want to create their own IP block list while we wait for Fortinet engineers to wake up: https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-e...

boneyard · ‎12-11-2021

haven't seen any official information on Fortinet products being affected. for any official Fortinet staff reading this please make that happen quickly.

the IPS signature is available:

https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability

https://www.fortiguard.com/encyclopedia/ips/51006

default action is pass, so be sure to change that if you want it blocking.

Eric1101 · ‎12-11-2021

I have tried following the instructions to change the default action to block, however it is greyed out as an option in my Fortigate 601E's. I also tried adding a custom signature entry, but when it comes to the vuln text context field, its unclear from the bulletins what I should be putting there to match the CVE-2021-44228 RCE.

Any help would be much appreciated.

Thanks,

Eric

tcbnorge · ‎12-13-2021

This is posted now:

https://www.fortiguard.com/psirt/FG-IR-21-245

Most Fortinet products is not affect.

Deepak_Girimaji_FTNT · ‎12-11-2021

For FortiWEB, a signature has been released to mitigate vulnerability reported under CVE-2021-44228 in WAF signature database version 0.00305 (https://www.fortiguard.com/updates/websecurity?version=0.00305). You could verify the version by issuing the following command:
-------------------------------------
get system upd-db-version | grep Waf
Waf Signature Version: 00000.00305
-------------------------------------

In case the signature database is not updated, please execute the following command to manually update:

# execute update fwdb

Best regards,
Deepak G N R
ETAC Manager
EMEA FortiWeb/ADC/WAN/DDoS/Isolator Team

indi81 · ‎12-11-2021

Also, where is the signatures for FortiADC?

amreason · ‎12-11-2021

Deleted

Eric1101 · ‎12-11-2021

How did you change the action to deny?

Thanks,

eric

none1234 · ‎12-11-2021

Security Profiles

Intrusion Prevention

Edit Sensor

Add Signature

Type = Signature

Action = Block

Status = enable.

Then search the log4j signature and click add to signature.

Save.

Move to the top of the signatures list.

Save

CVE-2021-44228 Apache LOG4J vulnerability

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website