Apache Log4j Vulnerability in Omada Controller - Updated on May 18, 2022 [Case Closed]

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
123...

Apache Log4j Vulnerability in Omada Controller - Updated on May 18, 2022 [Case Closed]

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
66 Reply
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 13:35:13

@shberge Thanks for the info 

@Fae  A warning about this version would have been very nice!

  0  
  0  
#12
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 13:48:59

@johnsnow88 

 

I upgraded from 4.4.6 to 5.0.15 and have backup, this backup don't work after upgrade, when i downgrade to 4.4.6 and do a restore then all device say it was managed by other.

and this was a multi site controller and site with same ip network, because similar ip network it was unable to identify which site they belong to and everything wass a mess.

I used  1 day to fix this disaster.  

  0  
  0  
#13
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 14:06:43

@Fae it is also installed on Ubuntu. 

  0  
  0  
#14
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 15:27:36

@Fae 

 

Would there be a solution for version 4.3.5?, m stuck with this version for now... log4shell scanning tool says:

 

3:21PM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager.class path=/opt/tplink/EAPController/lib/log4j-core-2.8.2.jar versionInfo="log4j 2.8.2"
3:21PM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$JndiManagerFactory.class path=/opt/tplink/EAPController/lib/log4j-core-2.8.2.jar versionInfo="log4j 2.8.2"
3:21PM INF identified vulnerable path fileName=org/apache/logging/log4j/core/pattern/MessagePatternConverter.class path=/opt/tplink/EAPController/lib/log4j-core-2.8.2.jar versionInfo="log4j 2.8.2"
3:21PM INF identified vulnerable path fileName=org/apache/logging/log4j/core/net/JndiManager$1.class path=/opt/tplink/EAPController/lib/log4j-core-2.8.2.jar versionInfo="log4j 2.8.2-2.12.0"

 

Kindest Regards

  0  
  0  
#15
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 15:49:03
I didn't create a backup before the upgrade, once i updated i then created a backup hoping to import it back to 4.4.4 but yeah that didn't work either.
  0  
  0  
#16
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 20:02:17

@Fae 

 

When can we expects a full release?

 

Something as critical as this can't be put out as a "beta." If used in production we need these fixed and we can't push through a change for a beta release.

  1  
  1  
#17
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-14 20:02:32

@Fae 

 

I am running an OC200 old version because I need to support eap245 v1 devices.

Will there be a fix for this as well?

 

 

  0  
  0  
#18
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-15 08:11:21

Dear @Bazz_Choc,

 

Bazz_Choc wrote

Will there be a fix for 3.2.7 also? Software controller, running on Windows. Thanks :)

 

For Omada Controller v3 or below, the fix will be based on the latest controller v3.2.14.

 

If you are using the controller v3 to manage some old APs, please feel free to install the controller v3.2.14.

 

I've updated the solution with the Beta firmware of Controller v3, and the official firmware will be available soon.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#19
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-15 08:17:09

Dear @shberge, @PeterHor,

 

shberge wrote

I do not understand why v 5.0.15 has not been removed from the download, this version has bugs, this has been known from day 1, I have been in contact with tp-link support about this error and they promised a fix in November but this has not happened yet.

Look at this post, 

https://community.tp-link.com/en/business/forum/topic/508242

 

Sorry for any trouble caused.

 

As I know, there are some new issues to be fixed urgently, so the new released planned in November has been delayed.

 

I've provided the official firmware in the solution, which has fixed the "general error" issue mentioned here.

 

Omada_Controller_V5.0.27_Windows

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#20
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-15 08:39:16 - last edited 2021-12-15 08:41:11

Dear @TIJIBA-InaipYuc,

 

TIJIBA-InaipYuc wrote

Would there be a solution for version 4.3.5?, m stuck with this version for now... log4shell scanning tool says:

 

I'm afraid that the solution is for the latest controller version.

The latest controller version has fixed some issues and optimized some features, we advise installing the latest version for use.

 

Kind note:

If you are using the Windows Omada Controller, you may follow this solution to install the official firmware V5.0.27 directly.

Please remember to back up the current settings whenever you upgrade the firmware for your products, just in case.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#21
Options