This release fixes the following vulnerability.
FortiSIEM installations have a hardcoded SSH key for a specific user (name: tunneluser) that allows anyone to authenticate as tunneluser to the Supervisor over SSH ports 22 and 19999.
- This release ONLY provides an upgrade for all platforms.
- If you want to install FortiSIEM 5.2.7, then follow these steps
- Install 5.2.6 or earlier.
- Choose the final event database storage: local disk, FortiSIEM EventDB on NFS or Elasticsearch.
- Then upgrade to 5.2.7.
One FortiSIEM module (3rd party ThreatConnect SDK) uses Apache log4j version 2.8 for logging purposes, and hence is vulnerable to the recently discovered Remote Code Execution vulnerability (CVE-2021-44228) in FortiSIEM 5.2.6-5.4.0.
These instructions specify the steps needed to mitigate this vulnerability without upgrading Apache log4j to the latest stable version 2.16 or higher. Actions need to be taken on the Supervisor node only.
Logon via SSH as root.
Mitigating 3rd party ThreatConnect SDK module:
Delete these log4j jar files under
Restart all Java Processes by running:
“killall -9 java”