Log4shell or Log4j2 or more simply CVE-2021-44228 is being called the greatest vulnerability to hit the interest... ever. Log4j2 impact touches anything that uses Apache’s opensource logging service Log4j prior to version 2.15.0. And that’s a lot of systems. In fact, it’s said to impact most of the web services attached to the Internet at the time of the exploit’s announcement on December 9th, 2021. That’s a lot of systems to patch. How does a cyber team work through all of the known and shadow IT inventory? Further, what if those systems are the heart of the company running critical financial and management functions, such as a SAP or other ERP system? Patching of these systems must be prioritized, but it will take time. More immediately, cyber teams should be looking to their security partners to implement network-wide mitigation that can be broadly and swiftly deployed. Fortinet has rolled out several countermeasures to stop 44228 right now. This approach, which you can think of as virtual patching, will protect your systems while buying time for system admins and vendors to roll out application-specific patches.
Protecting SAP and other ERP systems must be a high priority. SAP has published a bulletin as of December 14th, 2021 of the impacted products which can be found here. However, patching and validating those systems is not a trivial task.
Fortinet can help mitigate the impact of log4shell across the SAP landscape in the following ways:
- FortiGate NGFW protects ingress and egress points to the landscape while providing internal segmentation between applications and production and pre-production environments. FortiGate NGFW supports protocol-specific inspection of SAP and Java traffic. IPS signature package 19.218+ blocks attempts to exploit the Log4j2 vulnerability.
- FortiWeb and FortiWeb Cloud secures web applications and API gateways by inspecting incoming HTTP(s) connections which may typically connect to Fiori or Java web applications. FortiWeb can inspect TLS traffic and block attempts to exploit the Log4j2 vulnerability through content and header inspection. FortiWeb web application signatures to prevent this vulnerability were first added in database 0.00305 and have been updated in recent releases to add additional coverage.
- FortiADC is a multiprotocol load balancer and WAF integrated directly into the SAP Message Server and is aware of application server and load-balanced pools within the SAP environment. FortiADC’s IPS package version 19.218+ includes mitigations of Log4j2.
- FortiProxy also provides IPS services and will detect and blog Log4j2 exploit attempts with IPS package version 19.218+
- FortiClient version 19.281 blocks attack attempts to exploit a Remote Code Execution Vulnerability in Apache Log4j. In addition, version 6.2 and above will verify endpoint protections and monitor for any alerts related to Log4j2 exploit attempts.
- FortiEDR 5.0 and above monitors and protects against payloads delivered by exploitation of the vulnerability. It will also hunt for vulnerable jar files pertaining to Log4j2 vulnerability.
- FortiCWP version 21.3.0 will protect CI/CD pipeline and detect the presence of log4j2 vulnerability in container images.
- FortiAnalyzer version 1.00038 and above will detect indications of the log4j2 vulnerability and trigger an outbreak alert – using data from across the Fortinet Security Fabric.
- FortiSIEM will detect indicators for the Log4j2 vulnerability from data collected across the security fabric as well as from 3rd party products.
- With the integration from SecurityBridge into the Fortinet Security Fabric, we can show log4j attack events against SAP Systems within the SecurityBridge Solution to correlate with internal SAP alerts and events.
Fortinet is the only network and application security provider able to provide secure the entire SAP landscape. Fortinet has built connectors allowing the Fortinet security fabric to changes in the SAP landscape. We have also incorporated SAP-specific threat detections for our solutions.
To learn more about Fortinet’s SAP portfolio, visit https://fortinet.com/sap.