Log4j vulnerable?

[Dueport]

Are C4 controllers vulnerable to this flaw? If not great. If so is there a patch we need to make sure gets applied asap?

[-defunct-]

Nope.

Scanned my network with all Control4 products and ended up finding my Buffalo NAS is, lol

[Dueport]

7 minutes ago, Dunamivora said:

Nope.

Scanned my network with all Control4 products and ended up finding my Buffalo NAS is, lol

Ok that’s great thank you. Is there a site that explains how to scan your network?

[-defunct-]

For my personal use and scanning my home network, I use OpenVAS community edition. It's free, but the VM needs cycled every once in a while since the OS does not update with the free version.

For work, we use Acunetix and Nessus, both have the ability to scan for the vulnerability just like OpenVAS. The only places we identified the vulnerability were in Composer and some back-end servers not exposed to the public. All of that is currently being worked on or has been fixed.

[Dueport]

58 minutes ago, Dunamivora said:

For my personal use and scanning my home network, I use OpenVAS community edition. It's free, but the VM needs cycled every once in a while since the OS does not update with the free version.

For work, we use Acunetix and Nessus, both have the ability to scan for the vulnerability just like OpenVAS. The only places we identified the vulnerability were in Composer and some back-end servers not exposed to the public. All of that is currently being worked on or has been fixed.

Thank you @Dunamivora - this looks like a good project to explore. Really appreciate the recommendations. 

[Riverguy]

FYI - I found this statement on the Control4 web site.

LOG4J VULNERABILITY RESPONSE
Dear Partner,
On Friday, Dec 10, a vulnerability in the “Log4j” Java library was announced (CVE-2021-44228).
An initial audit of our systems and applications indicates that the vulnerability is not present in
any Snap One mobile application or product.
Snap One’s usage of the affected “Log4j” library is limited to internal, backend services. Based
on available information, we have no indication that the vulnerability has been exploited within
our organization and are confident that there is no impact to customer data.
The security of our products is a top priority and critical to our ongoing commitment to foster
trust and transparency for our customers.
Snap One continues to monitor our systems and applications, as well as information provided
by CISA (Cybersecurity and Infrastructure Security Agency), threat intelligence and other
vendors for new information, and we will continue to take prompt action as necessary.
Snap One Cybersecurity Team

[msgreenf]

@Riverguy that statement was likely written by @Dunamivora...

[-defunct-]

It wasn't me, but it was my boss and PMs.

I'm in all the chats about the vuln though. It's been a wild scramble talking with all the teams to review everything we include in our products and services.

[ekohn00]

5 hours ago, Riverguy said:

FYI - I found this statement on the Control4 web site.

LOG4J VULNERABILITY RESPONSE
 vulnerability is not present in any Snap One mobile application or product.
Snap One’s usage of the affected “Log4j” library is limited to internal, backend services. 

 

so not in the application, but is in the backend services?

I understand what you're trying to say, but might need a bit of a tweak.

 

 

 

[-defunct-]

3 minutes ago, ekohn00 said:

so not in the application, but is in the backend services?

I understand what you're trying to say, but might need a bit of a tweak.

 

 

 

Internal, backend services would be employee tools, nothing that concerns customers and customer services.

[zaphod]

But for those of us on Unifi there is a vulnerability in the Unifi Controller software.  You need to upgrade to the latest release or manually upgrade the log4j jar files.

[ekohn00]

1 hour ago, Dunamivora said:

Internal, backend services would be employee tools, nothing that concerns customers and customer services.

and customer tools never get compromised in order to gain control of a network.......  (sarcasm in case you can't tell)

 

[-defunct-]

Just now, ekohn00 said:

and customer tools never get compromised in order to gain control of a network.......  (sarcasm in case you can't tell)

 

???

I would understand the sarcasm if it made sense.

 

No customer tools, software, or services were impacted.

 

The only issues were internal tools unrelated to anything to do with customers.

[ekohn00]

15 minutes ago, zaphod said:

But for those of us on Unifi there is a vulnerability in the Unifi Controller software.  You need to upgrade to the latest release or manually upgrade the log4j jar files.

I didn't see anything for the controller, but the network app.... simple upgrade....

https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207

[ekohn00]

5 minutes ago, Dunamivora said:

???

I would understand the sarcasm if it made sense.

 

No customer tools, software, or services were impacted.

 

The only issues were internal tools unrelated to anything to do with customers.

A vulnerability need not have to be directly related to "a customer".

[-defunct-]

15 minutes ago, ekohn00 said:

A vulnerability need not have to be directly related to "a customer".

Sure, we looked at situations that would indirectly impact customers as well and none existed. We don't use log4j.

Are you indicating you feel vulnerable regardless of the reassurance?

 

[DanITman]

You sure your SOLR driver search wasn't impacted?  That is Java based and there is a public service for it. 

[-defunct-]

22 minutes ago, DanITman said:

You sure your SOLR driver search wasn't impacted?  That is Java based and there is a public service for it. 

According to our scanners, it was not.

[DanITman]

Not sure what version you are using. 

https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 

 

 

[-defunct-]

I'll have to review again, but the critical test (active exploit scanning) found nothing, so if it is a vulnerable version it is not configured in a way that allows the vulnerability.

[msgreenf]

all 3 vulns that have been uncovered?

[-defunct-]

Log4shell is the primary one that is concerning.

The rest are only exploitable in custom configs.

Acunetix, Nessus, and Crowdstrike have been good about keeping up with the vulns.

[zaphod]

4 hours ago, ekohn00 said:

I didn't see anything for the controller, but the network app.... simple upgrade....

https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207

Isn't the Unifi Network the same as the Controller?  When they are saying "A vulnerable third-party library used in UniFi Network Version 6.5.53 and earlier (Log4J CVE-2021-44228) allows a malicious actor to control the application. " Isn't that the Unifi controller?  I run the Unifi Controller in a Docker on my unRAID server and there has been discussion on how to fix this vulnerability on the unRAID Docker forums.

[ekohn00]

2 hours ago, zaphod said:

Isn't the Unifi Network the same as the Controller?  When they are saying "A vulnerable third-party library used in UniFi Network Version 6.5.53 and earlier (Log4J CVE-2021-44228) allows a malicious actor to control the application. " Isn't that the Unifi controller?  I run the Unifi Controller in a Docker on my unRAID server and there has been discussion on how to fix this vulnerability on the unRAID Docker forums.

I run a UDM-PRO. On the UDM-pro, it's broken down to "apps". I didn't see anything on the base controller, which is firmware on the UDM-PRO, but only the network module.

The docker/"SW" implementations may be different...I can't remember if my cloud key has independent apps, or everything was updated at once.

 

[DanITman]

Ubiquiti already produced patches and you should upgrade.