Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Java log4j vulnerability - Is pfSense affected ?

    Scheduled Pinned Locked Moved General pfSense Questions
    52 Posts 20 Posters 26.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bingo600B
      bingo600 @johnpoz
      last edited by

      @johnpoz said in Java log4j vulnerability - Is pfSense affected ?:

      @bmeeks said in Java log4j vulnerability - Is pfSense affected ?:

      the latest 6.5.54 version of the Unifi Network Application (a.ka. "Controller") is patched.

      They just released a 6.5.55 which has updated version of log4j
      "Update log4j version to 2.16.0 (CVE-2021-45046)."

      Apache released a 2.17 , so i guess we should keep an eye on unifi updates.

      How do you get informed of new releases - e-mail subscription or ??

      /Bingo

      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

      johnpozJ 1 Reply Last reply Reply Quote 0
      • D
        darcey @bmeeks
        last edited by

        @bmeeks said

        It would depend on exactly what the triggering rule is looking for. Could be the rule is just looking for anything log4j2 related. That would mean the potential for false positives exists.

        If your logging server is well isolated and protected on your LAN or other more secure subnet, I would not immediately suspect any malicious activity in that scenario. I would investigate with maybe a few packet captures and use Google research to validate if the alerts are something that can be suppressed for the IP of your remote logging server. And obviously you would want to get any log4j2 utility on there patched up.

        I believe I partly figured out what's going on.

        To recap, I have suricata running on two interfaces (LAN and DMZ).
        LAN hosts an Elastic/log server.
        DMZ hosts a public facing webserver (NAT), with filebeat sending nginx logs to the LAN based log server.
        A rule allows this specific traffic from DMZ hosts to LAN log server.

        To cut down the noise I temporarily disabled payload logging.
        A log4j http uri arrives at the DMZ interface and is detected/blocked by suricata (legacy mode). However, at least some log4j uris make their way to the webserver. Suricata, on the LAN interface, then detects those log4j signatures in the filebeat http logging crossing the LAN interface to the logserver.
        What I haven't determined is why some log4j traffic reaches the webserver. Is this becasue they are not matched. Is it because some packets make their way through due to suricata running in legacy mode. Or are they obfuscated by https (I think I can rule this out since at least some of the requests appear not https). AISI if no log4j traffic hit the webserver, I would never see log4j alerts on the LAN.

        I'm 99% certain the webserver is not vulnerable to the log4j vulnerability and it is only configured to serve static pages. But I'm intrigued and want to understand what is happening.

        1 Reply Last reply Reply Quote 0
        • Q
          qctech @nimrod
          last edited by

          @nimrod said in Java log4j vulnerability - Is pfSense affected ?:

          you learn so much during that process

          You certainly do. I keep thinking that I should do it again to see how the project has changed.
          It is possible to just copy and paste and learn nothing so you do have to take the time to understand the commands and how things are linking together.

          1 Reply Last reply Reply Quote 1
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @bingo600
            last edited by johnpoz

            @bingo600 said in Java log4j vulnerability - Is pfSense affected ?:

            How do you get informed of new releases - e-mail subscription or ??

            I follow the release threads over on their forums - they send an email whenever a update comes out. So yeah I get an email whenever firmware for AP or Controller comes out.

            edit: BTW just got email that controller 7.0.15 is out.. And one of the things is

            "Update log4j version to 2.17.0 (CVE-2021-45105)."

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            bingo600B 1 Reply Last reply Reply Quote 0
            • bingo600B
              bingo600 @johnpoz
              last edited by

              @johnpoz said in Java log4j vulnerability - Is pfSense affected ?:

              edit: BTW just got email that controller 7.0.15 is out.. And one of the things is

              "Update log4j version to 2.17.0 (CVE-2021-45105)."

              Still not in the unifi debian repos , checked twice today.

              /Bingo

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @bingo600
                last edited by johnpoz

                @bingo600 I don't use the repo's I manually download from their site the package..

                https://dl.ui.com/unifi/7.0.15-aa76488648/unifi_sysvinit_all.deb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                bingo600B 1 Reply Last reply Reply Quote 1
                • bingo600B
                  bingo600 @johnpoz
                  last edited by

                  @johnpoz said in Java log4j vulnerability - Is pfSense affected ?:

                  https://dl.ui.com/unifi/

                  Still no repos update for me , but i'm on 6.5.??

                  Seems like there ought to come a new version soon , Apache released 2.17.1 today.

                  https://dlcdn.apache.org/logging/log4j/

                  How's the 7.x.x version ?

                  If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                  pfSense+ 23.05.1 (ZFS)

                  QOTOM-Q355G4 Quad Lan.
                  CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                  LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @bingo600
                    last edited by

                    @bingo600 said in Java log4j vulnerability - Is pfSense affected ?:

                    How's the 7.x.x version ?

                    I haven't had any issues with it. I haven't seen an update for the 2.17.1 yet for the controller - will keep an eye on my emails.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      mcury @johnpoz
                      last edited by

                      I'm using the 7.0.15 version, it's running perfectly on my RPI 4b @ ubuntu server 20.04.3 LTS (GNU/Linux 5.4.0-1047-raspi aarch64)

                      dead on arrival, nowhere to be found.

                      1 Reply Last reply Reply Quote 0
                      • bingo600B
                        bingo600
                        last edited by bingo600

                        New fix - 2.17.1

                        https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html

                        The Apache Software Foundation (ASF) on Tuesday rolled out fresh patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems, making it the fifth security shortcoming to be discovered in the tool in the span of a month.

                        Tracked as CVE-2021-44832, the vulnerability is rated 6.6 in severity on a scale of 10 and impacts all versions of the logging library from 2.0-alpha7 to 2.17.0 with the exception of 2.3.2 and 2.12.4. While Log4j versions 1.x are not affected, users are recommended to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

                        "Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code," the ASF said in an advisory. "This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2."

                        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                        pfSense+ 23.05.1 (ZFS)

                        QOTOM-Q355G4 Quad Lan.
                        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                        1 Reply Last reply Reply Quote 0
                        • S
                          shinobi
                          last edited by

                          from what we see across various products and devops environments most often the devs are unaware of it until shown.. log4j can be buried deep so i'm about to scan my local pfsense using latest openvas plugins.. .although im not aware of it,.. it could still be behind something else.
                          ~If i see any hits i will return them here.

                          N 1 Reply Last reply Reply Quote 0
                          • N
                            nimrod @shinobi
                            last edited by

                            @shinobi said in Java log4j vulnerability - Is pfSense affected ?:

                            from what we see across various products and devops environments most often the devs are unaware of it until shown.. log4j can be buried deep so i'm about to scan my local pfsense using latest openvas plugins.. .although im not aware of it,.. it could still be behind something else.
                            ~If i see any hits i will return them here.

                            pfSense is open source software. If there was log4j module used, it would have been found / exposed and fixed by now. There are thousands of people out there checking the code. Not just Netgate. What im trying to say is, you are wasting your time.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.