Executive Summary

Log4j is a Java-based logging audit framework within Apache. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where an attacker can leverage this vulnerability to take full control of a machine.

This module is a prerequisite for other software which means it can be found in many products and is trivial to exploit. It is critical that organizations take immediate action to inventory their systems and prioritize remediation.

Impacted Versions

Apache Log4j 2.x <= 2.15.0-rc1

CVSS: 10 (CRITICAL)

Summary: Apache Log4j Vulnerability

Until a few days ago, most people would not have had any knowledge of the Log4j2 software. However, this little-known module is commonly used by other larger software, which means it is found in many products and locations. Some of the early alarm bells were raised by Swedish online game developer, Mojang Studios, after their users’ Minecraft servers were compromised.

The vulnerability impacts default configurations of a number of Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, which are utilized by numerous organizations from Apple, Amazon, Google, Twitter, and thousands of others, including Fortinet.

The vulnerability is simply triggered by sending a specific JNDI string to the Log4j software, which triggers the install of the malicious software as shown.

Log4j vulnerability diagram

The issue is easy to exploit and the broad utilization of this software means there are multiple attack vectors. We expect more to be uncovered over the coming months. FortiGuard Labs is already seeing rapid growth of attacks detected.

Log4j: IPS triggers graph

The focus is on devices in North America and Brazil, although this is likely related to the sizes of these countries rather than any particular targeting at this time.

Log4j: IPS triggers graph by region

Mitigating Issues With Fortinet

Fortinet has created an Outbreak Alert for this incident which allows customers to track indicators of compromise (IOCs) and apply protections against this issue using the Fortinet Security Fabric.

 

Log4j: FortiGuard Outbreak Alert

Protections are available across the whole Fortinet Security Fabric to help defend against this attack including:

FortiWeb/FortiGate IPS: Apply web application firewalling signatures and IPS to detect and prevent the vulnerability from being exploited.

FortiGate Firewall: Employ firewall policy and microsegmentation to prevent authorized devices from communicating out to unauthorized resources.

FortiEDR: Monitors and protects against payloads delivered by exploitation of the vulnerability.

FortiCWP: Protects CI/CD pipeline and detects the presence of Log4j2 vulnerability in container images.

Protection Details

IPS Signature Protection (FortiOS)

Fortinet has released IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215). Please note that since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need.

As of IPS DB version 19.217 this signature was set to drop by default.

IPS Signature Protection (FortiADC & FortiProxy)

FortiADC supports IPS signature to mitigate Log4j (version 19.215).
FortiProxy supports IPS signature to mitigate Log4j (version 19.215).

Web Application Firewall (FortiWeb & FortiWeb Cloud)

Web application signatures to prevent this vulnerability were added in database 0.00301 and have been updated in the latest release 0.00305 for additional coverage.

Impacted Fortinet Products

For Fortinet impacted products, please see the Fortinet PSIRT Advisory for details. This Advisory will be updated as mitigations are put in place and as pathed versions are issued.

Net-Ctrl provide network and structured cabling solutions as either a stand-alone installation, or to compliment products and solutions that we offer.

We provide an automated Cybersecurity awareness training solution covering both simulated phishing and training courses.

Offering end-to-end, affordable and competitive financing solutions to help you achieve your business goals. 

Net-Ctrl provides two excellent support packages in addition to any equipment purchased. Find out about our Silver or Gold support package

IP-CCTV site survey to assess camera locations and requirement and existing Mobotix solution health checks.

Net-Ctrl offers our Cloud WLAN. Delivering market-leading patented technology managed by the Net-Ctrl engineering team.

Net-Ctrl offers a range of wireless network solutions. We explore some common questions related to these solutions.

Predictive, Pre-Deployment, Post Installation and Health Check Wireless Surveys carried out by certified wireless engineers.