Java log4j vulnerability - Is pfSense affected ?

qctech

@nimrod said in Java log4j vulnerability - Is pfSense affected ?:

you learn so much during that process

You certainly do. I keep thinking that I should do it again to see how the project has changed.
It is possible to just copy and paste and learn nothing so you do have to take the time to understand the commands and how things are linking together.

johnpoz

@bingo600 said in Java log4j vulnerability - Is pfSense affected ?:

How do you get informed of new releases - e-mail subscription or ??

I follow the release threads over on their forums - they send an email whenever a update comes out. So yeah I get an email whenever firmware for AP or Controller comes out.

edit: BTW just got email that controller 7.0.15 is out.. And one of the things is

"Update log4j version to 2.17.0 (CVE-2021-45105)."

bingo600

@johnpoz said in Java log4j vulnerability - Is pfSense affected ?:

edit: BTW just got email that controller 7.0.15 is out.. And one of the things is

"Update log4j version to 2.17.0 (CVE-2021-45105)."

Still not in the unifi debian repos , checked twice today.

/Bingo

johnpoz

@bingo600 I don't use the repo's I manually download from their site the package..

https://dl.ui.com/unifi/7.0.15-aa76488648/unifi_sysvinit_all.deb

bingo600

@johnpoz said in Java log4j vulnerability - Is pfSense affected ?:

https://dl.ui.com/unifi/

Still no repos update for me , but i'm on 6.5.??

Seems like there ought to come a new version soon , Apache released 2.17.1 today.

https://dlcdn.apache.org/logging/log4j/

How's the 7.x.x version ?

johnpoz

@bingo600 said in Java log4j vulnerability - Is pfSense affected ?:

How's the 7.x.x version ?

I haven't had any issues with it. I haven't seen an update for the 2.17.1 yet for the controller - will keep an eye on my emails.

mcury

I'm using the 7.0.15 version, it's running perfectly on my RPI 4b @ ubuntu server 20.04.3 LTS (GNU/Linux 5.4.0-1047-raspi aarch64)

bingo600

New fix - 2.17.1

https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html

The Apache Software Foundation (ASF) on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month.

Tracked as CVE-2021-44832, the vulnerability is rated 6.6 in severity on a scale of 10 and impacts all versions of the logging library from 2.0-alpha7 to 2.17.0 with the exception of 2.3.2 and 2.12.4. While Log4j versions 1.x are not affected, users are recommended to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

"Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code," the ASF said in an advisory. "This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."

shinobi

from what we see across various products and devops environments most often the devs are unaware of it until shown.. log4j can be buried deep so i'm about to scan my local pfsense using latest openvas plugins.. .although im not aware of it,.. it could still be behind something else.
~If i see any hits i will return them here.

nimrod

@shinobi said in Java log4j vulnerability - Is pfSense affected ?:

from what we see across various products and devops environments most often the devs are unaware of it until shown.. log4j can be buried deep so i'm about to scan my local pfsense using latest openvas plugins.. .although im not aware of it,.. it could still be behind something else.
~If i see any hits i will return them here.

pfSense is open source software. If there was log4j module used, it would have been found / exposed and fixed by now. There are thousands of people out there checking the code. Not just Netgate. What im trying to say is, you are wasting your time.