Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ivar
New Contributor

CVE-2021-44228 Apache LOG4J vulnerability

Would appreciate a response from Fortinet regarding the Apache log4 vulnerability if any Fortinet product

is affected.

 

Any information regarding updated IPS signature for CVE-2021-44228?

1 Solution
Carl_Windsor_FTNT

PSIRT advisory on impacted products can be found here:

 

https://www.fortiguard.com/psirt/FG-IR-21-245

Dr. Carl Windsor Field Chief Technology Officer Fortinet

View solution in original post

44 REPLIES 44
Toast
New Contributor

This Tennable blog post links to two good resources from GreyNoise and BadPackets for those that want to create their own IP block list while we wait for Fortinet engineers to wake up: https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-e...

boneyard
Valued Contributor

haven't seen any official information on Fortinet products being affected. for any official Fortinet staff reading this please make that happen quickly.

 

the IPS signature is available:

https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability

https://www.fortiguard.com/encyclopedia/ips/51006

 

default action is pass, so be sure to change that if you want it blocking.

Eric1101

I have tried following the instructions to change the default action to block, however it is greyed out as an option in my Fortigate 601E's.   I also tried adding a custom signature entry, but when it comes to the vuln text context field, its unclear from the bulletins what I should be putting there to match the CVE-2021-44228 RCE.

 

Any help would be much appreciated.

 

Thanks,

 

Eric

tcbnorge

This is posted now:

https://www.fortiguard.com/psirt/FG-IR-21-245

Most Fortinet products is not affect. 

Deepak_Girimaji_FTNT

For FortiWEB, a signature has been released to mitigate vulnerability reported under CVE-2021-44228 in WAF signature database version 0.00305 (https://www.fortiguard.com/updates/websecurity?version=0.00305). You could verify the version by issuing the following command:
-------------------------------------
get system upd-db-version | grep Waf
Waf Signature Version: 00000.00305
-------------------------------------

In case the signature database is not updated, please execute the following command to manually update:

# execute update fwdb

Best regards,
Deepak G N R
Technical Lead Engineer
EMEA FortiWeb/ADC/WAN/DDoS/Isolator Team
indi81
New Contributor II

Also, where is the signatures for FortiADC?

amreason
New Contributor II

My fortigates pulled in the ips signature this morning. Default action is allow. Seems like a bug. Had to override change to deny.

Eric1101

How did you change the action to deny?

 

Thanks,

 

eric

none1234

Security Profiles

Intrusion Prevention

Edit Sensor

Add Signature

Type = Signature

Action = Block

Status = enable.

Then search the log4j signature and click add to signature.

Save.

Move to the top of the signatures list.

Save