Log4j and Unifi

Lots of Unifi users on here so I thought I would post the latest. Earlier versions of the network controller do appear to be vulnerable but the latest is not.

https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1

1 Like

Same thing???

Unless I misread, that post is specific to HE. Mine is specific to Unifi. Did I misunderstand?

I haven't got a clue about either hence my comment was followed by a few ?????

LOL oh sorry I misunderstood. The log4j vulnerability affects many applications and devices across the internet, from corporate apps to IoT devices. HE was very quick to publish a fix, as was Unifi. The vulnerability allows a hacker to gain access to systems that are vulnerable and execute code on them. It's a nasty one because this particular java library is in such wide use and the exploit is pretty simple.

1 Like

Both are pointing back to the same vulnerability.. in a Library that is widely used. You should find something about this vulnerability on every software vendor's site somewhere.

Lot's of "hair-on-fire" reactions too.

It's a logging library and thus any software that logs anything will have the potential to be using this code. The exploit is in the wild and thus most internet connections are seeing hundreds if not thousands of attempts. Thus the 'hair-on-fire' reaction by those that are hoping someone else is patching for them. :smiley:

1 Like

Anybody have any idea is the docker version has been updated?

The "hair on fire" reaction is entirely appropriate, given the severity of this bug. The requirements to exploit it are extremely simple, and the damage you can do with it is nearly unlimited.

This is the most severe security vulnerability on the internet since at least 2014 (shellshock).

Update all your things. Now.

3 Likes