Would appreciate a response from Fortinet regarding the Apache log4 vulnerability if any Fortinet product
is affected.
Any information regarding updated IPS signature for CVE-2021-44228?
Solved! Go to Solution.
PSIRT advisory on impacted products can be found here:
https://www.fortiguard.com/psirt/FG-IR-21-245
Dr. Carl Windsor Field Chief Technology Officer Fortinet
This Tennable blog post links to two good resources from GreyNoise and BadPackets for those that want to create their own IP block list while we wait for Fortinet engineers to wake up: https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-e...
haven't seen any official information on Fortinet products being affected. for any official Fortinet staff reading this please make that happen quickly.
the IPS signature is available:
https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability
https://www.fortiguard.com/encyclopedia/ips/51006
default action is pass, so be sure to change that if you want it blocking.
Created on 12-11-2021 11:08 AM Edited on 12-11-2021 11:09 AM
I have tried following the instructions to change the default action to block, however it is greyed out as an option in my Fortigate 601E's. I also tried adding a custom signature entry, but when it comes to the vuln text context field, its unclear from the bulletins what I should be putting there to match the CVE-2021-44228 RCE.
Any help would be much appreciated.
Thanks,
Eric
This is posted now:
https://www.fortiguard.com/psirt/FG-IR-21-245
Most Fortinet products is not affect.
For FortiWEB, a signature has been released to mitigate vulnerability reported under CVE-2021-44228 in WAF signature database version 0.00305 (https://www.fortiguard.com/updates/websecurity?version=0.00305). You could verify the version by issuing the following command:
-------------------------------------
get system upd-db-version | grep Waf
Waf Signature Version: 00000.00305
-------------------------------------
In case the signature database is not updated, please execute the following command to manually update:
# execute update fwdb
Also, where is the signatures for FortiADC?
Created on 12-11-2021 08:27 AM Edited on 12-30-2022 10:36 AM
Deleted
How did you change the action to deny?
Thanks,
eric
Created on 12-11-2021 11:33 AM Edited on 12-11-2021 11:34 AM
Security Profiles
Intrusion Prevention
Edit Sensor
Add Signature
Type = Signature
Action = Block
Status = enable.
Then search the log4j signature and click add to signature.
Save.
Move to the top of the signatures list.
Save
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.