Log4j Exploit 0-Day

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Log4j Exploit 0-Day

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Log4j Exploit 0-Day
Log4j Exploit 0-Day
2021-12-11 00:28:35 - last edited 2021-12-13 12:32:51

The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.

----

As a quick update and NO WARRANTY on this information is expressed.

Following the same advice given to Ubiquiti users on their forums before they released a release candidate patch you can stop the Omada software, replace the log4j java files and then re-start the controller. I have verified this appears to not cause any issues on my controller, of course this only works if you are hosting on Windows or Linux. Thank you to leonardogyn on the Unifi forums.

  1. downloaded 2.15.0 log4j zip/tgz package from the apache log4j repository

  2. extracted the file

  3. stopped the Omada SDN Controller

  4. moved the newly extracted files

log4j-api-2.15.0.jar

log4j-core-2.15.0.jar

log4j-slf4j-impl-2.15.0.jar

to <Omada SDN>/lib/ *BUT* renaming them to overwrite the existing 2.13.3 files. You can't get them with their 2.15.0 names there, you need to overwrite the existing 2.13.3 files with the newer ones.

5) once log4j*jar files are replaced, just restart the Controller, and you're good to go!

  3      
  3      
#1
Options
1 Accepted Solution
Re:Log4j Exploit 0-Day-Solution
2021-12-13 12:32:43 - last edited 2021-12-13 12:32:51

Hi All, 

 

pmfjoe wrote

The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.

 

Thank you so much for your valued feedback!

 

Here is the solution provided for this Log4j vulnerability.

[Solution] Apache Log4j Vulnerability in Omada Controller 

 

Thank you for your attention!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#6
Options
9 Reply
Re:Log4j Exploit 0-Day
2021-12-11 05:29:23

@pmfjoe 

 

Good short term fix, hopefully TP Link acts quickly and provides an official fix.

  0  
  0  
#2
Options
Re:Log4j Exploit 0-Day
2021-12-11 10:26:24

@pmfjoe Is it safe to assume this vulnerability also exists on the hardware controllers like OC200 and OC300?

  1  
  1  
#3
Options
Re:Log4j Exploit 0-Day
2021-12-11 14:54:28

@ggeoffreyyy 

 

It does affect the Ubiquiti CloudKey/Dream Machine and since it seems there are a lot of similarities I think it is safe to assume it does.

  0  
  0  
#4
Options
Re:Log4j Exploit 0-Day
2021-12-12 00:10:28 - last edited 2021-12-13 13:55:36

Thanks for that @pmjoe; I'm still on the old controller so renamed the files to be 2.8.2 and it started up fine. Also changed the owner to match the other files. Cheers!

 

Edit: By "old controller", I mean 3.2.14 because I'm still using an EAP245v1 which TPL has cut loose as far as support goes...it seems.

APs: EAP225v3, EAP245v3, EAP670, Controller: Linux, Primary Switch: T2600-28TS, Routing: OPNsense
  0  
  0  
#5
Options
Re:Log4j Exploit 0-Day-Solution
2021-12-13 12:32:43 - last edited 2021-12-13 12:32:51

Hi All, 

 

pmfjoe wrote

The Omada SDN software includes the vulnerable Log4j java files. Hopefully TP-Link provides a patch soon as all information indicates this 0-Day is being actively exploited, what that means to the Omada SDN is not exactly known.

 

Thank you so much for your valued feedback!

 

Here is the solution provided for this Log4j vulnerability.

[Solution] Apache Log4j Vulnerability in Omada Controller 

 

Thank you for your attention!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#6
Options
Re:Log4j Exploit 0-Day
2021-12-13 19:09:21

@Fae I'm not too keen on trying the beta on my OC200 and 300 that are in use in production.  Will the AP's continue to run if I just disconnect the controller until the patch is out of beta?  I realize I won't get insights or be able to make changes...

  0  
  0  
#7
Options
Re:Log4j Exploit 0-Day
2021-12-16 03:20:42

Dear @JustAnotherDave,

 

JustAnotherDave wrote

I'm not too keen on trying the beta on my OC200 and 300 that are in use in production.  Will the AP's continue to run if I just disconnect the controller until the patch is out of beta?  I realize I won't get insights or be able to make changes...

 

The Beta firmware has been tested and confirmed to be effective, it just hasn't gone through an internal review process for official release (which takes a long time). If you are looking for an urgent solution, the Beta firmware can also be a reliable option.

 

If the controller is offline(unplugged), the Omada devices can still work with basic functions, but some advanced features will not take effect.

For more details, please kindly check the article below (it applied to all Omada Devices including the router and switch).

 

Will the Configuration Still Work with EAPs When the Omada Controller Goes Offline?

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#8
Options
Re:Log4j Exploit 0-Day
2021-12-22 15:24:47 - last edited 2021-12-22 15:25:11

Instead of renaming the new files, just move the old ones out of the way and create symlinks with the old names to the new files. 

That way its quite a bit more clear which version you are actually using.

 

-Jon C.

  0  
  0  
#9
Options
Re:Log4j Exploit 0-Day
2021-12-28 23:03:34

@jcaino 

Thanks Jon, did exactly that today with 2.17.1.  :)

APs: EAP225v3, EAP245v3, EAP670, Controller: Linux, Primary Switch: T2600-28TS, Routing: OPNsense
  0  
  0  
#10
Options