Solution Apache Log4j Vulnerability in Omada Controller - Updated on May 18, 2022 [Case Closed]
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi All,
TP-Link is aware of the vulnerability in Apache Log4j used in Omada Controller (CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints).
Affected Products/Services:
Omada Cloud Services
Omada Controller (Windows)
Omada Controller (Linux)
Omada Controller OC200
Omada Controller OC300
Omada Discovery Utility
Kind note: Pharos Control is not affected.
Available Solutions:
So far, the TP-Link team has fixed the vulnerability on the cloud platforms, including Omada Cloud-Access.
For Local Omada Controllers, you may install the Beta firmware below for an emergency solution.
Omada SDN Controller:
Omada_Controller_V5.0.15_Windows (Beta)
Omada_Controller_V4.4.6_Linux_x64.tar (Beta)
Omada_Controller_V4.4.6_Linux_x64.deb (Beta)
OC200(UN)_V1_1.14.1_20211213 (Beta) -- Built-in Omada Controller v5.0.21
OC300(UN)_V1_1.2.4_20211213 (Beta) -- Built-in Omada Controller v4.4.6
Omada Controller V3.2.14:
Omada_Controller_V3.2.15_Windows_32bit (Beta)
Omada_Controller_V3.2.15_Windows_64bit (Beta)
Omada_Controller_V3.2.15_Linux_x64.tar (Beta)
Omada_Controller_V3.2.15_Linux_x64.deb (Beta)
OC200(UN)_V1_1.2.5_Build 20211214 (Beta)
Note: The Beta firmware provided above has updated log4j version to 2.15.0 to fix the original vulnerability (CVE-2021-44228).
Here are the official releases for Omada SDN Controllers to fix the vulnerability:
Omada_Controller_V4.4.8_Linux_x64.tar Release Note >
Omada_Controller_V4.4.8_Linux_x64.deb Release Note >
Omada_Controller_V5.0.30_Windows Release Note >
Omada_Controller_V5.0.30_Linux_x64.tar Release Note >
Omada_Controller_V5.0.30_Linux_x64.deb Release Note >
OC200(UN)_V1_1.14.3 Build 20220112 Release Note > Built-in Omada Controller v5.0.30
OC300(UN)_V1_1.7.1 Build 20220112 Release Note > Built-in Omada Controller v5.0.30
Kind Note:
1. The Official firmware provided above has updated log4j version to 2.16.0 to fix the followed vulnerability (CVE-2021-45046).
2. Omada Controllers or Services are NOT affected by the last vulnerability (CVE-2021-45105).
But TP-Link still released a new official firmware to upgrade log4j version to 2.17.0.
The following Omada SDN Controller v5 has upgraded log4j version to 2.17.0:
Omada_Controller_v5.1.7_Linux_x64.tar.gz Full Release Note >
Omada_Controller_v5.1.7_Linux_x64.deb Full Release Note >
Omada_Controller_v5.1.7_Windows Full Release Note >
OC200(UN)_V1_1.15.2_20220323 Full Release Note > Built-in Omada Controller v5.1.7
OC200(UN)_V2_2.1.2_20220323 Full Release Note > Built-in Omada Controller v5.1.7
OC300(UN)_V1_1.8.2 Build 20220411 Full Release Note > Built-in Omada Controller v5.1.8
The following Omada Controller v3 has upgraded log4j version to 2.17.0:
Omada_Controller_V3.2.16_Windows_32bit Release Note >
Omada_Controller_v3.2.16_Windows_64bit Release Note >
Omada_Controller_v3.2.16_Linux_x64.deb Release Note >
Omada_Controller_V3.2.16_Linux_x64.tar Release Note >
OC200(UN)_V1_1.2.6_Build 20211230 Release Note >
The following Omada Discovery Utility version has upgraded log4j version to 2.16.0:
Omada Discovery Utility 5.0.8 Release Note >
> upgraded log4j version to 2.16.0 to avoid remote code execution vulnerability in Apache log4j2.
This solution post has been updated completely by May 18, 2022.
Thank you for your attention!
References:
Solution Updated Records:
- Updated on 15th December 2021:
1. Add the Beta firmware for old Omada Controller v3.2.14.
2. Add the official firmware for Omada Controller v5.0.27 Windows.
Note: If you are using older Omada Controller, and wondering whether you can upgrade SDN Controller, you may refer to the guide below for a quick answer.
Frequently asked questions of Omada SDN solution related to upgrading and management
- Updated on 16 December 2021:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. So the coming official firmware will update log4j version to 2.16.0 (CVE-2021-45046).
- Updated on 17 December 2021:
Add the official firmware for Omada Software Controller v4/v5, which updated log4j version to 2.16.0 (CVE-2021-45046)
- Updated on 21 December 2021:
Add the official firmware for Omada SDN Controller OC200/OC300, which updated log4j version to 2.16.0 (CVE-2021-45046)
- Updated on 22 December 2021:
Add a Kind Note:
3. Omada Controllers or Services are NOT affected by the last vulnerability (CVE-2021-45105).
But TP-Link will still release a new official firmware soon to upgrade log4j version to 2.17.0.
4. The official firmware for Omada Controller v3.2.14 will also upgrade log4j version to 2.17.0, which will be released afterwards.
- Updated on 9 January 2022:
Add official firmware for Omada Controller v5.0.29 (Linux) and Omada Discovery Utility v5.0.8, which updated log4j version to 2.16.0 (CVE-2021-45046).
- Updated on 26 January 2022:
Add official firmware for Omada Software Controller v3.2.16, which updated log4j version to 2.17.0.
- Updated on 10 February 2022:
Add official firmware for Omada Hardware Controller OC200 with built-in Controller v3.2.16, which updated log4j version to 2.17.0.
Replaced the Omada Controller v5.0.29 firmware with the Controller v5.0.30 (it's the later version which has fixed some issues came from v5.0.29).
- Updated on 7 May 2022:
Add official firmware for Omada Software Controller v5.1.7 and OC200 with built-in Controller v5.1.7, which updated log4j version to 2.17.0.
- Updated on 18 May 2022:
Add official firmware for OC300 with built-in Controller v5.1.8, which updated log4j version to 2.17.0.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear @ggeoffreyyy,
ggeoffreyyy wrote
When can we expects a full release?
Something as critical as this can't be put out as a "beta." If used in production we need these fixed and we can't push through a change for a beta release.
The official release is on the way, will be published soon. Please wait patiently.
Actually, the Beta firmware has been tested and confirmed to be effective, it just hasn't gone through an internal review process for official release (which takes a long time). If you are looking for an urgent solution, the Beta firmware can also be a reliable option.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Installed the update successfully on Ubuntu over SSH, sad that the controller won't start anymore. Reboot of my system didn't help :(
Edit: Uninstalled curl which also uninstalled omadac. Did a fresh install of the 4.4.6 deb-file using 'dpkg -i' and now it's back up. Lost all my settings though but luckily I took some back-ups out of the autobackup-folder before doing this. Now it's all working again :)
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Fae For the OC200 and OC300, two questions:
- Is there a workaround OTHER than the beta patch? (the numerous failures reported here do not inspire confidence)
- Is there any idea what "soon" might be for non-beta firmware?
- Can the access points (and for my home installation: router and switches) continue to run if the controller is taken offline until a non-beta fix is supplied?
- Copy Link
- Report Inappropriate Content
Hi,
Be aware that Omada SDN 4.4.6 BETA (Omada_SDN_Controller_v4.4.6_beta_linux_x64_20211213180823) embeds log4j 2.15 which is known to still be vulnerable
/opt/tplink/EAPController/lib/log4j-slf4j-impl-2.15.0.jar
/opt/tplink/EAPController/lib/log4j-api-2.15.0.jar
/opt/tplink/EAPController/lib/log4j-core-2.15.0.jar
Log4j 2.15 addresses part of CVE-2021-44228 but is still vulnerable to derivatives ; these are referred in CVE-2021-45046
https://logging.apache.org/log4j/2.x/security.html
TPLink, please do not release the "fixed" version unless you upgraded log4j to 2.16.0 and please release a beta2 version.
Regards.
- Copy Link
- Report Inappropriate Content
Unifi was super fast this time to, I have alredy upgraded a bunch of unifi controllers. with CVE-2021-45046 patch, @Fae when can we eksept this update from TP-LINK?
Lets hope this is end of Log4j patch
- Copy Link
- Report Inappropriate Content
Dear @johnsnow88, @JustAnotherDave, @caramb, @shberge,
shberge wrote
with CVE-2021-45046 patch, @Fae when can we except this update from TP-LINK?
Lets hope this is end of Log4j patch
The coming official firmware will update log4j version to 2.16.0 (CVE-2021-45046).
FYI, the final fix for Omada SDN Controller_Windows/Linux is expected to be released this week.
And Omada SDN Controller OC200/OC300 may be released earlier next week (two or three days later).
(The test projects of Hardware Controller is a bit more than the Software Controller, so it will take more time.)
Note: the final release date is subject to the actual release of the official firmware.
The official firmware release is already being expedited, but it still needs some time to conduct the full tests first, hope you understand.
Thank you for your great patience and understanding!
- Copy Link
- Report Inappropriate Content
Dear @JustAnotherDave,
JustAnotherDave wrote
For the OC200 and OC300, two questions:
- Is there a workaround OTHER than the beta patch? (the numerous failures reported here do not inspire confidence)
- Is there any idea what "soon" might be for non-beta firmware?
- Can the access points (and for my home installation: router and switches) continue to run if the controller is taken offline until a non-beta fix is supplied?
The official firmware will be released soon (I assume earlier next week). Please wait patiently.
If the controller is offline(unplugged), the Omada devices can still work with basic functions, but some advanced features will not take effect.
For more details, please kindly check the article below (it applied to all Omada Devices including the router and switch).
Will the Configuration Still Work with EAPs When the Omada Controller Goes Offline?
- Copy Link
- Report Inappropriate Content
FWIW, I have Omada_Controller_V5.0.27_Windows installed now and it's MUCH faster/more responsive than previous releases. Pages seem to load twice as fast as they did even under 5.0.15. Not sure what else they updated/fixed in the release but something created a nice performance boost. Hope it sticks!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 11
Views: 37020
Replies: 66
Voters 9
