Java log4j vulnerability - Is pfSense affected ?
-
It's just occurred to me, the logging of these alerts triggers more of the very same alerts! Is it the case suricata rolls off alerting/logging, hence the pattern seen in the logging volume?
I'm guessing I need to disable my remote syslogging of suricata eve to logstash or disable some of those CVE-2021-44228 rules. -
@darcey said in Java log4j vulnerability - Is pfSense affected ?:
It's just occurred to me, the logging of these alerts triggers more of the very same alerts! Is it the case suricata rolls off alerting/logging, hence the pattern seen in the logging volume?
I'm guessing I need to disable my remote syslogging of suricata eve to logstash or disable some of those CVE-2021-44228 rules.It would depend on exactly what the triggering rule is looking for. Could be the rule is just looking for anything
log4j2related. That would mean the potential for false positives exists.If your logging server is well isolated and protected on your LAN or other more secure subnet, I would not immediately suspect any malicious activity in that scenario. I would investigate with maybe a few packet captures and use Google research to validate if the alerts are something that can be suppressed for the IP of your remote logging server. And obviously you would want to get any
log4j2utility on there patched up. -
While NOT pfSense related
There's a list of possible vulnerable products here.
https://github.com/YfryTchsGD/Log4jAttackSurfaceI have two of these installed , on "Other servers"
And have "patched/updated both"
None of these are exposed to the "Outside" , but fixed anyway.
I know a few others here are using Unifi ...
/Bingo
If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
@bingo600 said in Java log4j vulnerability - Is pfSense affected ?:
I know a few others here are using Unifi
Yeah I updated to 6.5.54 from .53 as soon as it came out. I normally do anyway.
-
@bingo600 said in Java log4j vulnerability - Is pfSense affected ?:
While NOT pfSense related
I know a few others here are using Unifi .../Bingo
Yes, the latest 6.5.54 version of the Unifi Network Application (a.ka. "Controller") is patched. Just installed it on my system this morning. It was released on December 11th, I believe.
-
@bingo600
Another list, seems comprehensive from teh Dutch Cyber Security folks.https://github.com/NCSC-NL/log4shell/tree/main/software
-
@mer said in Java log4j vulnerability - Is pfSense affected ?:
@bingo600
Another list, seems comprehensive from teh Dutch Cyber Security folks.https://github.com/NCSC-NL/log4shell/tree/main/software
Thanx .. looks good
-
@nimrod Thank you for your question. The recent log4j Java library vulnerability does not affect pfSense software. Neither pfSense Plus nor CE software use Java. Additionally, neither Java nor log4j are available to install manually on pfSense software from Netgate package servers.
-
Sense
Project
@pfsense
The recent log4j Java library vulnerability does not affect pfSense software. Neither pfSense Plus nor CE software use Java.
5:03 PM Ā· Dec 13, 2021
[https://twitter.com/pfsense/status/1470514844717699080](link url) -
Just to make sure, and verify this is not in anything on my pFsense I ran the below command, if you have a lot of packages on yours you could do the same.
find -L / -iname 'log4j'
Nothing was found, thankfully. At my work, that is another story, it is EVERYWHERE :(. -
@bmeeks said in Java log4j vulnerability - Is pfSense affected ?:
the latest 6.5.54 version of the Unifi Network Application (a.ka. "Controller") is patched.
They just released a 6.5.55 which has updated version of log4j
"Update log4j version to 2.16.0 (CVE-2021-45046)."An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@bmeeks said in Java log4j vulnerability - Is pfSense affected ?:
I could possibly be properly called a "curmudgeon"
I feel that I'm in good company. I'm not quite at retirement age yet but totally agree about the current state of adding module on top of module on top of module without any real knowledge of where it's all coming from.
At some point, you have to trust other peoples code but it's getting a bit out of hand.
I built Linux From Scratch systems 20 years ago when I had more time and inclination but really don't have time for it now.
It's great that we have got lots of confirmation from both the knowledgeable members of the community and from Netgate direct. Times like these show the good that open source and community can give.
-
I moved to FreeBSD, but im still tempted to start building LFS because you learn so much during that process.
-
@johnpoz said in Java log4j vulnerability - Is pfSense affected ?:
@bmeeks said in Java log4j vulnerability - Is pfSense affected ?:
the latest 6.5.54 version of the Unifi Network Application (a.ka. "Controller") is patched.
They just released a 6.5.55 which has updated version of log4j
"Update log4j version to 2.16.0 (CVE-2021-45046)."Apache released a 2.17 , so i guess we should keep an eye on unifi updates.
How do you get informed of new releases - e-mail subscription or ??
/Bingo
If you find my answer useful - Please give the post a š - "thumbs up"
pfSense+ 23.05.1 (ZFS)QOTOM-Q355G4 Quad Lan.
CPUĀ : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
LANĀ : 4 x Intel 211, DiskĀ : 240G SAMSUNG MZ7L3240HCHQ SSD -
@bmeeks said
It would depend on exactly what the triggering rule is looking for. Could be the rule is just looking for anything
log4j2related. That would mean the potential for false positives exists.If your logging server is well isolated and protected on your LAN or other more secure subnet, I would not immediately suspect any malicious activity in that scenario. I would investigate with maybe a few packet captures and use Google research to validate if the alerts are something that can be suppressed for the IP of your remote logging server. And obviously you would want to get any
log4j2utility on there patched up.I believe I partly figured out what's going on.
To recap, I have suricata running on two interfaces (LAN and DMZ).
LAN hosts an Elastic/log server.
DMZ hosts a public facing webserver (NAT), with filebeat sending nginx logs to the LAN based log server.
A rule allows this specific traffic from DMZ hosts to LAN log server.To cut down the noise I temporarily disabled payload logging.
A log4j http uri arrives at the DMZ interface and is detected/blocked by suricata (legacy mode). However, at least some log4j uris make their way to the webserver. Suricata, on the LAN interface, then detects those log4j signatures in the filebeat http logging crossing the LAN interface to the logserver.
What I haven't determined is why some log4j traffic reaches the webserver. Is this becasue they are not matched. Is it because some packets make their way through due to suricata running in legacy mode. Or are they obfuscated by https (I think I can rule this out since at least some of the requests appear not https). AISI if no log4j traffic hit the webserver, I would never see log4j alerts on the LAN.I'm 99% certain the webserver is not vulnerable to the log4j vulnerability and it is only configured to serve static pages. But I'm intrigued and want to understand what is happening.
-
@nimrod said in Java log4j vulnerability - Is pfSense affected ?:
you learn so much during that process
You certainly do. I keep thinking that I should do it again to see how the project has changed.
It is possible to just copy and paste and learn nothing so you do have to take the time to understand the commands and how things are linking together. -
@bingo600 said in Java log4j vulnerability - Is pfSense affected ?:
How do you get informed of new releases - e-mail subscription or ??
I follow the release threads over on their forums - they send an email whenever a update comes out. So yeah I get an email whenever firmware for AP or Controller comes out.
edit: BTW just got email that controller 7.0.15 is out.. And one of the things is
"Update log4j version to 2.17.0 (CVE-2021-45105)."
-
@johnpoz said in Java log4j vulnerability - Is pfSense affected ?:
edit: BTW just got email that controller 7.0.15 is out.. And one of the things is
"Update log4j version to 2.17.0 (CVE-2021-45105)."
Still not in the unifi debian repos , checked twice today.
/Bingo
-
@bingo600 I don't use the repo's I manually download from their site the package..
https://dl.ui.com/unifi/7.0.15-aa76488648/unifi_sysvinit_all.deb
-
@johnpoz said in Java log4j vulnerability - Is pfSense affected ?:
https://dl.ui.com/unifi/
Still no repos update for me , but i'm on 6.5.??
Seems like there ought to come a new version soon , Apache released 2.17.1 today.
https://dlcdn.apache.org/logging/log4j/
How's the 7.x.x version ?
