Apache Log4j Vulnerability in Omada Controller - Updated on 9 January 2022

Apache Log4j Vulnerability in Omada Controller - Updated on 9 January 2022
Apache Log4j Vulnerability in Omada Controller - Updated on 9 January 2022
2021-12-13 12:23:51 - last edited 2 weeks ago

Hi All,

 

TP-Link is aware of the vulnerability in Apache Log4j used in Omada Controller (CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints). 

 

Affected Products/Services:

 

Omada Cloud Services

Omada Controller (Windows)

Omada Controller (Linux)

Omada Controller OC200

Omada Controller OC300

Omada Discovery Utility

 

Kind note: Pharos Control is not affected.

 

Available Solutions:

 

So far, the TP-Link team has fixed the vulnerability on the cloud platforms, including Omada Cloud-Access.

 

For Local Omada Controllers, you may install the Beta firmware below for an emergency solution.

 

  • Omada SDN Controller:

Omada_Controller_V5.0.15_Windows (Beta)

Omada_Controller_V4.4.6_Linux_x64.tar (Beta)

Omada_Controller_V4.4.6_Linux_x64.deb (Beta)

OC200(UN)_V1_1.14.1_20211213 (Beta) -- Built-in Omada Controller v5.0.21

OC300(UN)_V1_1.2.4_20211213 (Beta) -- Built-in Omada Controller v4.4.6

 

  • Omada Controller V3.2.14:

Omada_Controller_V3.2.15_Windows_32bit (Beta)

Omada_Controller_V3.2.15_Windows_64bit (Beta)

Omada_Controller_V3.2.15_Linux_x64.tar (Beta)

Omada_Controller_V3.2.15_Linux_x64.deb (Beta)

OC200(UN)_V1_1.2.5_Build 20211214 (Beta)

 

Please be sure you have read the Beta Test Agreement before proceeding!

 

Here are the official releases for Omada SDN Controllers to fix the vulnerability:

 

Omada_Controller_V4.4.8_Linux_x64.tar  Release Note >

Omada_Controller_V4.4.8_Linux_x64.deb  Release Note >

Omada_Controller_V5.0.29_Windows  Release Note >

Omada_Controller_V5.0.29_Linux_x64.tar Release Note >

Omada_Controller_V5.0.29_Linux_x64.deb Release Note >

OC200(UN)_V1_1.14.2 Build 20211215  Release Note > Built-in Omada Controller v5.0.29

OC300(UN)_V1_1.7.0 Build 20211215  Release Note > Built-in Omada Controller v5.0.29
 

Kind Note:

1. The Beta firmware provided above has updated log4j version to 2.15.0 to fix the original vulnerability (CVE-2021-44228).

2. The Official firmware provided above has updated log4j version to 2.16.0 to fix the followed vulnerability (CVE-2021-45046).

3. Omada Controllers or Services are NOT affected by the last vulnerability (CVE-2021-45105).

But TP-Link will still release a new official firmware soon to upgrade log4j version to 2.17.0.

4. The official firmware for Omada Controller v3.2.14 will also upgrade log4j version to 2.17.0, which will be released afterwards.

 

Add the official release for Omada Discovery Utility:

Omada Discovery Utility 5.0.8  Rlease Note >

           > upgraded log4j version to 2.16.0 to avoid remote code execution vulnerability in Apache log4j2.

 

This solution post will be actively updated as more information becomes known.

Thank you for your attention!

 

References:

https://logging.apache.org/log4j/2.x/security.html

 

CVE-2021-45105: https://www.cve.org/CVERecord?id=CVE-2021-45105

Severity: High

Base CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

CVE-2021-45046: https://www.cve.org/CVERecord?id=CVE-2021-45046

Severity: Critical

Base CVSS Score: 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

 

CVE-2021-44228: https://www.cve.org/CVERecord?id=CVE-2021-44228

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

 

Solution Updated Records:

 

  • Updated on 15th December 2021:

 

1. Add the Beta firmware for old Omada Controller v3.2.14.

2. Add the official firmware for Omada Controller v5.0.27 Windows.

 

Note: If you are using older Omada Controller, and wondering whether you can upgrade SDN Controller, you may refer to the guide below for a quick answer.

Frequently asked questions of Omada SDN solution related to upgrading and management

 

  • Updated on 16 December 2021:

 

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. So the coming official firmware will update log4j version to 2.16.0 (CVE-2021-45046).

 

  • Updated on 17 December 2021:

 

Add the official firmware for Omada Software Controller v4/v5, which updated log4j version to 2.16.0 (CVE-2021-45046)

 

  • Updated on 21 December 2021:

 

Add the official firmware for Omada SDN Controller OC200/OC300, which updated log4j version to 2.16.0 (CVE-2021-45046)

 

  • Updated on 22 December 2021:

 

Add a Kind Note:

3. Omada Controllers or Services are NOT affected by the last vulnerability (CVE-2021-45105).

But TP-Link will still release a new official firmware soon to upgrade log4j version to 2.17.0.

4. The official firmware for Omada Controller v3.2.14 will also upgrade log4j version to 2.17.0, which will be released afterwards.

 

  • Updated on 9 January 2022:

 

Add official firmware for Omada Controller v5.0.29 (Linux) and Omada Discovery Utility v5.0.8, which updated log4j version to 2.16.0 (CVE-2021-45046).

 

Best Regards!
9
9
#1
Options
59 Reply
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-13 13:21:51

@Fae 

Hi, i've upgraded from 4.4.6 to the 5.0.15 beta and it crashed my installation.

5.0.15 failed to upgrade the database. Even after a reboot of my Windows Server 2019 the error still occured.

I had to deinstall 5.0.15 clean the install folder contents and reinstalled 4.4.6 with a following restore of my backup to have the Omada Controller software running again.

FYI:

The Omada Software was not installed in its standardfolders on my server!

 

Best regards.

0
0
#2
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-13 13:51:56
Thanks.  Updated through SSH without any problem.
0
0
#3
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 01:49:58

Dear @Sum1Unknown,

 

Sum1Unknown wrote

Hi, i've upgraded from 4.4.6 to the 5.0.15 beta and it crashed my installation.

5.0.15 failed to upgrade the database. Even after a reboot of my Windows Server 2019 the error still occured.

I had to deinstall 5.0.15 clean the install folder contents and reinstalled 4.4.6 with a following restore of my backup to have the Omada Controller software running again.

FYI:

The Omada Software was not installed in its standardfolders on my server!

 

Sorry to hear that you have trouble with the 5.0.15 beta.

I tried to upgrade from 4.4.6 to the 5.0.15 beta and it goes well.

 

To address the issue, I'd like to escalate your case to the TP-Link support team for further investigation.
They will reach you via your registered email address shortly, please pay attention to your email box later.

 

Thank you so much for your cooperation and support!

Best Regards!
0
0
#4
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 09:26:31

@Fae I have successfully updated from 4.3.5 to 4.4.6 on an Ubuntu-machine und it's fine.

 

But I've also Omada 3.2.14 running for older AP, will there be an fix also?

0
0
#5
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 09:42:55 - last edited 2021-12-15 06:50:56

Dear @grabbman,

 

grabbman wrote

@Fae I have successfully updated from 4.3.5 to 4.4.6 on an Ubuntu-machine und it's fine.

But I've also Omada 3.2.14 running for older AP, will there be an fix also?

 

Thank you for your valued feedback.

 

There will be a fix for the local Omada Controller v3.2.14 also, I'll update the solution once the firmware is available.

 

BTW, is your Omada 3.2.14 installed on an Ubuntu-machine as well, or is it a hardware controller?

 

Update:  The beta firmware for Controller v3.2.14 has been provided, please follow the solution above. Thank you!

Best Regards!
0
0
#6
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 11:51:53

 

Fae wrote

Dear @grabbman,

 

grabbman wrote

@Fae I have successfully updated from 4.3.5 to 4.4.6 on an Ubuntu-machine und it's fine.

But I've also Omada 3.2.14 running for older AP, will there be an fix also?

 

Thank you for your valued feedback.

 

There will be a fix for the local Omada Controller v3.2.14 also, I'll update the solution once the firmware is available.

 

BTW, is your Omada 3.2.14 installed on an Ubuntu-machine as well, or is it a hardware controller?

 

@Fae Will there be a fix for 3.2.7 also? Software controller, running on Windows. Thanks :)

0
0
#7
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 11:58:07

@Fae 

 

I have a controler 3.2.14 on ununtu (deb files)

 

Nice if i can update this to.

0
0
#8
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 12:27:02

@Fae 

 

Installed beta 5.0.15 (software controller om windows) updated without problems but Omada android app displays an "Omada server error" when opened.

App seems to work ok

 

The same with Omada cloud web page and controller webpage but here an "general error". Also the page seems to work ok.

 

 

 

Kind Regards

Peter

0
0
#9
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 12:37:01

@PeterHor 

 

I do not understand why v 5.0.15 has not been removed from the download, this version has bugs, this has been known from day 1, I have been in contact with tp-link support about this error and they promised a fix in November but this has not happened yet.

 

Look at this post, 

https://community.tp-link.com/en/business/forum/topic/508242

 

0
0
#10
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 13:30:28

@shberge 

 

When i moved to 5.0.15 before log4j patch, my APs wouldn't connect and i also had that generic error.

 

Sadly the one time i didn't create a backup was the time i actually needed it.

 

I had to rebuild everything which not fun but is fine as my database was from the old non SDN controller and had problems. Since rebuilding 5.0.15 has been working good.

 

 

0
0
#11
Options