Log4j Critical RCE

[Sky-Knight]

NVD - CVE-2021-44228

nvd.nist.gov

How critical? Well, all you have to do is send a POST request against an impacted system and it'll happily run whatever you tell it to.

Critical RCE Vulnerability: log4j - CVE-2021-44228 | Huntress

Our team is currently investigating CVE-2021-44228, a critical vulnerability that’s affecting a Java logging package.

www.huntress.com

ConnectWise and N-Able have been confirmed vulnerable. Heck, Minecraft instances are vulnerable, note this is both server AND client. Though the latter is difficult to exploit unless you're sitting at the machine in question. https://help.minecraft.net/hc/en-us...urity-Vulnerability-in-Minecraft-Java-Edition

Untangle seems to be safe, as of yet because the only instance of log4j we've found on the platform is actually too old to be used in this exploit. That and you need root access to the platform to run the payload at present. But if you're using Untangle please double check your https admin access rules and close that crap to untrusted IP addresses just in case. (Note, you should be doing this already!)

It's bad enough that Cloudflare is considering giving even free customers projection against this mess if you're using their WAF.

Here have a Twitter feed full of people testing this against all sorts of crap, smart devices, everything you can imagine. Java is everywhere of course.

https://twitter.com/x/status/1469255402290401285

Ladies and Gentlemen... START YOUR PATCHING!

A general mitigation can be done on Windows by this:

If you're using a Unifi Controller on a Windows platform somewhere... this is a good idea to get that environment variable out. I'm currently testing use of this variable on all platforms.

 

[Sky-Knight]

Found this one today: https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/

It seems that if your java runtime is dated 2019 or younger, it's got the variable that allows this bug to happen disabled by default. So the question becomes does the app you're using enable it?

There's an environment variable that can forcibly keep it off, details on that are in my original post as well as this linked article.

 

[Sky-Knight]

Unifi has released Network 6.5.54 and Protect 1.20.1 to patch Log4j vulnerabilities. Hostifi customers already have this, everyone else... start your patching!

Omada is confirmed vulnerable too, but no patch is available from TP-Link yet.

 

[Markverhyden]

Just finished checking everything and I've just got two unifi controllers to deal with.

 

[Sky-Knight]

Untangle uses log4j 1.2.16 which is a patched older version available via the Debian repos and no vulnerable to the current exploit.

 

[YeOldeStonecat]

Ubiquiti released another update to Unifi, 6.5.55

https://community.ui.com/releases/UniFi-Network-Application-6-5-55/48c64137-4a4a-41f7-b7e4-3bee505ae16e

• Update log4j version to 2.16.0 (CVE-2021-45046).

Prior 6.5.54 addressed the major exploit of last week, this one addresses a potential DoS against it...not nearly as severe, but...

And if you use Hostifi they're already rolling this out right now.

 

[Sky-Knight]

As of this moment, this is the current download: https://fw-download.ubnt.com/data/u...s-6.5.54-1ccc3edbb97f4c18bc8157cc44af4275.exe

As you can clearly see, it's still 6.5.54, so while there might be a 6.5.55 announcement it's not available for download as of yet.

Still, a DOS is better than an RCE so I'm ok waiting a day or two.

*Edit* Derp I can read, it's not a release, it's an release candidate.