PSA: UniFi Network and Log4j

#1

I know there are several users here with UI networking equipment, so I thought I would post this here. UI today issued a security advisory addressing CVE-2021-44228.

In short, all versions of the UniFi Network Controller prior to 6.5.54 are affected. If you have not updated your network controller to 6.5.54 yet, you may want to do so as soon as possible.

(As usual, this is an update to the network management application itself, and does not affect the devices themselves. You should not experience any downtime across your UI devices.)

2 Likes
#2

you can also just update the log4j without updating the controller. I think leonardogyn posted a step-by-step in the UniFi community topics. I did it a few days ago and was simple. Basically, just get the new log4j .jar files. and move to [install dir]/unifi/lib. Then stop the controller, remove the older version .jar, create symlinks, and start the controller again.

he went over it in the second post here:
https://community.ui.com/questions/UniFi-Controller-security-concern-zero-day-Log4j-exploit/007103a6-823b-4316-ae76-17942539208c

I'm still on 6.0.45.0 (with updated log4j). I like the interface better.

EDIT: The new controller is lacking in a few areas. The graphs and data shown is only complete if using a UDM-Pro. USG-Pro users have useless and blank areas of the dashboard. It also puts some settings in the new-UI that aren't accessible in the old-UI and vice-versa. As a happy USG-Pro user, I have the interface I want that is fully compatible with my devices. It is a working interface with which I am familiar, and I don't want to push to a new controller until Ubiquiti makes one that fully works with my hardware. There are multiple ways to patch the log4j and it is all over the ui forums. All I am saying is that if someone, like me, is uncomfortable with 6.5, there are other solutions to mitigate this issue.

#3

No offense, but other than needing to run out of date or unsupported versions of Java, why would you recommend a piecemeal attempt to rectify the security vulnerability?

If you are a secularity professional and can mitigate this zero-day on your own, this post is pointless. If you're not, it's informational, and should follow the guidance of your systems' providers.

If you are in between, please do not follow the post above who points to a piecemeal means to mitigate your issues.

Either follow your manufacturer's response, or you have already done so. Don't mitigate it in your own.

#4

And you: @djcastaldo why are you injecting FUD into a very concerning situation?! Log4j is the Y2K of the modern era, with greater consequences!

#5