Apache Log4j is a Java-based logging audit framework and Apache Log4j2 1.14.1 and below are susceptible to a remote code execution vulnerability where an attacker can leverage this vulnerability to take full control of a machine.
This module is a prerequisite for other software which means it can be found in many products and is trivial to exploit. It is critical that organizations take immediate action to inventory their systems and prioritize remediation.
Until a few days ago, most people would not have had any knowledge of the Log4j2 software. However, this little-known module is commonly used by other larger software, which means it is found in many products and locations. Some of the early alarm bells were raised by Swedish online game developer, Mojang Studios, after their users' Minecraft servers were compromised.
The vulnerability impacts default configurations of a number of Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink, which are utilized by numerous organizations from Apple, Amazon, Google, Twitter, and thousands of others, including Fortinet.
The vulnerability is simply triggered by sending a specific JNDI string to the Log4j software, which triggers the install of the malicious software as shown.
The issue is easy to exploit and the broad utilization of this software means there are multiple attack vectors. We expect more to be uncovered over the coming months. FortiGuard Labs is already seeing rapid growth of attacks detected.
The focus is on devices in North America and Brazil, although this is likely related to the sizes of these countries rather than any particular targeting at this time.
Fortinet has created an Outbreak Alert for this incident which allows customers to track indicators of compromise (IOCs) and apply protections against this issue using the Fortinet Security Fabric.
Protections are available across the whole Fortinet Security Fabric to help defend against this attack including:
Fortinet has released the following:
IPS signature Apache.Log4j.Error.Log.Remote.Code.Execution, with VID 51006 to address this threat. This signature was initially released in IPS package (version 19.215). Please note that since this is an emergency release, the default action for this signature is set to pass. Please modify the action according to your need. As of IPS DB version 19.217 this signature was set to drop by default.
FortiADC supports IPS signature to mitigate Log4j (version 19.215).
FortiProxy supports IPS signature to mitigate Log4j (version 19.215).
Web application signatures to prevent this vulnerability were added in database 0.00301 and have been updated in the latest release 0.00305 for additional coverage.
For Fortinet impacted products, please see the Fortinet PSIRT Advisory for details. This Advisory will be updated as mitigations are put in place and as pathed versions are issued.
NOTE: This blog has been updated to reflect new information relating to the initial Log4j vulnerability (CVE-2021-4428). For detailed analysis on subsequent Log4j vulnerabilities (CVE-2021-45046, CVE-2021-45104) and a Mirai-based attack leveraging a Log4j vulnerability, please see our latest blog, “Critical Apache Log4j (Log4Shell) Vulnerability Updates: What You Need to Know.”