Log4j Exploit 0-Day
The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.
----
As a quick update and NO WARRANTY on this information is expressed.
Following the same advice given to Ubiquiti users on their forums before they released a release candidate patch you can stop the Omada software, replace the log4j java files and then re-start the controller. I have verified this appears to not cause any issues on my controller, of course this only works if you are hosting on Windows or Linux. Thank you to leonardogyn on the Unifi forums.
-
downloaded 2.15.0 log4j zip/tgz package from the apache log4j repository
-
extracted the file
-
stopped the Omada SDN Controller
-
moved the newly extracted files
log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
log4j-slf4j-impl-2.15.0.jar
to <Omada SDN>/lib/ *BUT* renaming them to overwrite the existing 2.13.3 files. You can't get them with their 2.15.0 names there, you need to overwrite the existing 2.13.3 files with the newer ones.
5) once log4j*jar files are replaced, just restart the Controller, and you're good to go!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi All,
pmfjoe wrote
The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.
Thank you so much for your valued feedback!
Here is the solution provided for this Log4j vulnerability.
[Solution] Apache Log4j Vulnerability in Omada Controller
Thank you for your attention!
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@pmfjoe Is it safe to assume this vulnerability also exists on the hardware controllers like OC200 and OC300?
- Copy Link
- Report Inappropriate Content
It does affect the Ubiquiti CloudKey/Dream Machine and since it seems there are a lot of similarities I think it is safe to assume it does.
- Copy Link
- Report Inappropriate Content
Thanks for that @pmjoe; I'm still on the old controller so renamed the files to be 2.8.2 and it started up fine. Also changed the owner to match the other files. Cheers!
Edit: By "old controller", I mean 3.2.14 because I'm still using an EAP245v1 which TPL has cut loose as far as support goes...it seems.
- Copy Link
- Report Inappropriate Content
Hi All,
pmfjoe wrote
The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.
Thank you so much for your valued feedback!
Here is the solution provided for this Log4j vulnerability.
[Solution] Apache Log4j Vulnerability in Omada Controller
Thank you for your attention!
- Copy Link
- Report Inappropriate Content
@Fae I'm not too keen on trying the beta on my OC200 and 300 that are in use in production. Will the AP's continue to run if I just disconnect the controller until the patch is out of beta? I realize I won't get insights or be able to make changes...
- Copy Link
- Report Inappropriate Content
Dear @JustAnotherDave,
JustAnotherDave wrote
I'm not too keen on trying the beta on my OC200 and 300 that are in use in production. Will the AP's continue to run if I just disconnect the controller until the patch is out of beta? I realize I won't get insights or be able to make changes...
The Beta firmware has been tested and confirmed to be effective, it just hasn't gone through an internal review process for official release (which takes a long time). If you are looking for an urgent solution, the Beta firmware can also be a reliable option.
If the controller is offline(unplugged), the Omada devices can still work with basic functions, but some advanced features will not take effect.
For more details, please kindly check the article below (it applied to all Omada Devices including the router and switch).
Will the Configuration Still Work with EAPs When the Omada Controller Goes Offline?
- Copy Link
- Report Inappropriate Content
Instead of renaming the new files, just move the old ones out of the way and create symlinks with the old names to the new files.
That way its quite a bit more clear which version you are actually using.
-Jon C.
- Copy Link
- Report Inappropriate Content
Thanks Jon, did exactly that today with 2.17.1. :)
- Copy Link
- Report Inappropriate Content
Information
Helpful: 3
Views: 6615
Replies: 9