Command injection in log & report module

Summary

An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiADC, FortiDDoS and FortiDDoS-F may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

Affected Products

FortiDDoS-F 6.5 all versions are not affected
FortiDDoS-F version 6.4.0
FortiDDoS-F version 6.3.0 through 6.3.3
FortiDDoS-F version 6.2.0 through 6.2.2
FortiDDoS-F version 6.1.0 through 6.1.4
FortiADC 7.2 all versions are not affected
FortiADC version 7.1.0
FortiADC version 7.0.0 through 7.0.3
FortiADC version 6.2.0 through 6.2.4
FortiADC 6.1 all versions
FortiADC 6.0 all versions
FortiADC 5.4 all versions
FortiADC 5.3 all versions
FortiADC 5.2 all versions
FortiADC 5.1 all versions
FortiADC 5.0 all versions
FortiDDoS 5.7 all versions are not affected
FortiDDoS 5.6 all versions
FortiDDoS 5.5 all versions
FortiDDoS 5.4 all versions
FortiDDoS 5.3 all versions
FortiDDoS 5.2 all versions
FortiDDoS 5.1 all versions
FortiDDoS 5.0 all versions
FortiDDoS 4.7 all versions
FortiDDoS 4.6 all versions
FortiDDoS 4.5 all versions
FortiDDoS 4.4 all versions
FortiDDoS 4.3 all versions
FortiDDoS 4.2 all versions
FortiDDoS 4.1 all versions
FortiDDoS 4.0 all versions

Solutions

Please upgrade to FortiDDoS-F version 6.4.1 or above
Please upgrade to FortiDDoS-F version 6.3.4 or above
Please upgrade to FortiDDoS-F version 6.2.3 or above
Please upgrade to FortiDDoS-F version 6.1.5 or above
Please upgrade to FortiDDoS version 5.7.0 or above
Please upgrade to FortiDDoS version 5.6.2 or above
Please upgrade to FortiDDoS version 5.5.2 or above
Please upgrade to FortiDDoS version 5.4.3 or above
Please upgrade to FortiADC version 7.1.1 or above
Please upgrade to FortiADC version 7.0.4 or above
Please upgrade to FortiADC version 6.2.5 or above

Timeline

2023-04-11: Initial publication