Home

Forums

Stories

Knowledge Base

Business Community > Controllers > Log4j Exploit 0-Day

< Controllers

Log4j Exploit 0-Day

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Log4j Exploit 0-Day

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Log4j Exploit 0-Day

pmfjoe

2021-12-11 00:28:35 - last edited 2021-12-13 12:32:51

Posts: 2

Helpful: 3

Solutions: 0

Stories: 0

Registered: 2021-12-11

Log4j Exploit 0-Day

2021-12-11 00:28:35 - last edited 2021-12-13 12:32:51

The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.

----

As a quick update and NO WARRANTY on this information is expressed.

Following the same advice given to Ubiquiti users on their forums before they released a release candidate patch you can stop the Omada software, replace the log4j java files and then re-start the controller. I have verified this appears to not cause any issues on my controller, of course this only works if you are hosting on Windows or Linux. Thank you to leonardogyn on the Unifi forums.

downloaded 2.15.0 log4j zip/tgz package from the apache log4j repository
extracted the file
stopped the Omada SDN Controller
moved the newly extracted files

log4j-api-2.15.0.jar

log4j-core-2.15.0.jar

log4j-slf4j-impl-2.15.0.jar

to <Omada SDN>/lib/ *BUT* renaming them to overwrite the existing 2.13.3 files. You can't get them with their 2.15.0 names there, you need to overwrite the existing 2.13.3 files with the newer ones.

5) once log4j*jar files are replaced, just restart the Controller, and you're good to go!

1 Accepted Solution

Fae

2021-12-13 12:32:43 - last edited 2021-12-13 12:32:51

Posts: 3613

Helpful: 1358

Solutions: 474

Stories: 0

Registered: 2020-06-30

Re:Log4j Exploit 0-Day-Solution

2021-12-13 12:32:43 - last edited 2021-12-13 12:32:51

Hi All,

pmfjoe wrote

The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.

Thank you so much for your valued feedback!

Here is the solution provided for this Log4j vulnerability.

[Solution] Apache Log4j Vulnerability in Omada Controller

Thank you for your attention!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*

Recommended Solution

9 Reply

johnsnow88

LV2

2021-12-11 05:29:23

Posts: 72

Helpful: 21

Solutions: 0

Stories: 0

Registered: 2021-06-25

Re:Log4j Exploit 0-Day

2021-12-11 05:29:23

@pmfjoe

Good short term fix, hopefully TP Link acts quickly and provides an official fix.

ggeoffreyyy

LV1

2021-12-11 10:26:24

Posts: 6

Helpful: 3

Solutions: 0

Stories: 0

Registered: 2021-09-29

Re:Log4j Exploit 0-Day

2021-12-11 10:26:24

@pmfjoe Is it safe to assume this vulnerability also exists on the hardware controllers like OC200 and OC300?

pmfjoe

LV1

2021-12-11 14:54:28

Posts: 2

Helpful: 3

Solutions: 0

Stories: 0

Registered: 2021-12-11

Re:Log4j Exploit 0-Day

2021-12-11 14:54:28

@ggeoffreyyy

It does affect the Ubiquiti CloudKey/Dream Machine and since it seems there are a lot of similarities I think it is safe to assume it does.

GPB

LV2

2021-12-12 00:10:28 - last edited 2021-12-13 13:55:36

Posts: 55

Helpful: 17

Solutions: 1

Stories: 0

Registered: 2018-10-02

Re:Log4j Exploit 0-Day

2021-12-12 00:10:28 - last edited 2021-12-13 13:55:36

Thanks for that @pmjoe; I'm still on the old controller so renamed the files to be 2.8.2 and it started up fine. Also changed the owner to match the other files. Cheers!

Edit: By "old controller", I mean 3.2.14 because I'm still using an EAP245v1 which TPL has cut loose as far as support goes...it seems.

APs: EAP225v3, EAP245v3, EAP670, Controller: Linux, Primary Switch: T2600-28TS, Routing: OPNsense

Fae

2021-12-13 12:32:43 - last edited 2021-12-13 12:32:51

Posts: 3613

Helpful: 1358

Solutions: 474

Stories: 0

Registered: 2020-06-30

Re:Log4j Exploit 0-Day-Solution

2021-12-13 12:32:43 - last edited 2021-12-13 12:32:51

Hi All,

pmfjoe wrote

The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.

Thank you so much for your valued feedback!

Here is the solution provided for this Log4j vulnerability.

[Solution] Apache Log4j Vulnerability in Omada Controller

Thank you for your attention!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*

Recommended Solution

JustAnotherDave

LV1

2021-12-13 19:09:21

Posts: 6

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2021-12-13

Re:Log4j Exploit 0-Day

2021-12-13 19:09:21

@Fae I'm not too keen on trying the beta on my OC200 and 300 that are in use in production. Will the AP's continue to run if I just disconnect the controller until the patch is out of beta? I realize I won't get insights or be able to make changes...

Fae

2021-12-16 03:20:42

Posts: 3613

Helpful: 1358

Solutions: 474

Stories: 0

Registered: 2020-06-30

Re:Log4j Exploit 0-Day

2021-12-16 03:20:42

Dear @JustAnotherDave,

JustAnotherDave wrote

I'm not too keen on trying the beta on my OC200 and 300 that are in use in production. Will the AP's continue to run if I just disconnect the controller until the patch is out of beta? I realize I won't get insights or be able to make changes...

The Beta firmware has been tested and confirmed to be effective, it just hasn't gone through an internal review process for official release (which takes a long time). If you are looking for an urgent solution, the Beta firmware can also be a reliable option.

If the controller is offline(unplugged), the Omada devices can still work with basic functions, but some advanced features will not take effect.

For more details, please kindly check the article below (it applied to all Omada Devices including the router and switch).

Will the Configuration Still Work with EAPs When the Omada Controller Goes Offline?

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*

jcaino

LV1

2021-12-22 15:24:47 - last edited 2021-12-22 15:25:11

Posts: 2

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2021-10-08

Re:Log4j Exploit 0-Day

2021-12-22 15:24:47 - last edited 2021-12-22 15:25:11

Instead of renaming the new files, just move the old ones out of the way and create symlinks with the old names to the new files.

That way its quite a bit more clear which version you are actually using.

-Jon C.

GPB

LV2

2021-12-28 23:03:34

Posts: 55

Helpful: 17

Solutions: 1

Stories: 0

Registered: 2018-10-02

Re:Log4j Exploit 0-Day

2021-12-28 23:03:34

@jcaino

Thanks Jon, did exactly that today with 2.17.1. :)

APs: EAP225v3, EAP245v3, EAP670, Controller: Linux, Primary Switch: T2600-28TS, Routing: OPNsense

#10

Log4j Exploit 0-Day

Log4j Exploit 0-Day

Information

Voters 3

Tags