Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

What's New in 5.2.7

Bug Fixes

This release fixes the following vulnerability.

FortiSIEM installations have a hardcoded SSH key for a specific user (name: tunneluser) that allows anyone to authenticate as tunneluser to the Supervisor over SSH ports 22 and 19999.

 

Upgrade Notes

  1. This release ONLY provides an upgrade for all platforms.
  2. If you want to install FortiSIEM 5.2.7, then follow these steps
    1. Install 5.2.6 or earlier.
    2. Choose the final event database storage: local disk, FortiSIEM EventDB on NFS or Elasticsearch.
    3. Then upgrade to 5.2.7.

Known Issues

Remediation Steps for CVE-2021-44228

One FortiSIEM module (3rd party ThreatConnect SDK) uses Apache log4j version 2.8 for logging purposes, and hence is vulnerable to the recently discovered Remote Code Execution vulnerability (CVE-2021-44228) in FortiSIEM 5.2.6-5.4.0.

These instructions specify the steps needed to mitigate this vulnerability without upgrading Apache log4j to the latest stable version 2.16 or higher. Actions need to be taken on the Supervisor node only.

On Supervisor Node

  1. Logon via SSH as root.

  2. Mitigating 3rd party ThreatConnect SDK module:

    1. Delete these log4j jar files under /opt/glassfish/domains/domain1/applications/phoenix/lib

      1. log4j-core-2.8.2.jar

      2. log4j-api-2.8.2.jar

      3. log4j-slf4j-impl-2.6.1.jar

  3. Restart all Java Processes by running: “killall -9 java”

What's New in 5.2.7

Bug Fixes

This release fixes the following vulnerability.

FortiSIEM installations have a hardcoded SSH key for a specific user (name: tunneluser) that allows anyone to authenticate as tunneluser to the Supervisor over SSH ports 22 and 19999.

 

Upgrade Notes

  1. This release ONLY provides an upgrade for all platforms.
  2. If you want to install FortiSIEM 5.2.7, then follow these steps
    1. Install 5.2.6 or earlier.
    2. Choose the final event database storage: local disk, FortiSIEM EventDB on NFS or Elasticsearch.
    3. Then upgrade to 5.2.7.

Known Issues

Remediation Steps for CVE-2021-44228

One FortiSIEM module (3rd party ThreatConnect SDK) uses Apache log4j version 2.8 for logging purposes, and hence is vulnerable to the recently discovered Remote Code Execution vulnerability (CVE-2021-44228) in FortiSIEM 5.2.6-5.4.0.

These instructions specify the steps needed to mitigate this vulnerability without upgrading Apache log4j to the latest stable version 2.16 or higher. Actions need to be taken on the Supervisor node only.

On Supervisor Node

  1. Logon via SSH as root.

  2. Mitigating 3rd party ThreatConnect SDK module:

    1. Delete these log4j jar files under /opt/glassfish/domains/domain1/applications/phoenix/lib

      1. log4j-core-2.8.2.jar

      2. log4j-api-2.8.2.jar

      3. log4j-slf4j-impl-2.6.1.jar

  3. Restart all Java Processes by running: “killall -9 java”