The UniFi Controller software uses the Java Log4j framework for logging, currently Log4j 2.13.3 is used by UniFi Controller (“UniFi Network Application”) version 6.5.53.
This post shows how to update to Apache Log4j 2.17.0 by replacing the log4j-*.jar files. The workaround described here has been successfully implemented with the Unifi Controller software version 6.0.23, 6.0.45 and 6.5.53.
The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.17.1. Log4j’s JNDI (Java Naming and Directory Interface) support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.
In version 2.12.2 Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed.
Apache Log4j 2 Update for Windows
To install the Log4j 2.17.1 version for a Unifi Controller on Windows 10 or Windows Server 2019 (Update), open a command prompt as administrator to run the following commands. Basically the commands are for any Windows version, instead of curl and tar you have to use a browser for download and Winzip to unzip.
cd %userprofile%\downloads curl -O https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip tar -xf apache-log4j-2.17.1-bin.zip cd apache-log4j-2.17.1-bin copy log4j-api-2.17.1.jar "%UserProfile%\Ubiquiti UniFi\lib" copy log4j-core-2.17.1.jar "%UserProfile%\Ubiquiti UniFi\lib" copy log4j-slf4j-impl-2.17.1.jar "%UserProfile%\Ubiquiti UniFi\lib" cd "%UserProfile%\Ubiquiti UniFi\" java -jar lib\ace.jar stopsvc cd lib ren log4j-api-2.13.3.jar log4j-api-2.13.3.old ren log4j-core-2.13.3.jar log4j-core-2.13.3.old ren log4j-slf4j-impl-2.13.3.jar log4j-slf4j-impl-2.13.3.old mklink log4j-api-2.13.3.jar log4j-api-2.17.1.jar mklink log4j-core-2.13.3.jar log4j-core-2.17.1.jar mklink log4j-slf4j-impl-2.13.3.jar log4j-slf4j-impl-2.17.1.jar cd .. java -jar lib\ace.jar startsvc
In the _unifi_root_/lib/ directory, the existing 2.13.3-files must be overwritten, symbolic links are created so that the 2.17.1-files point to the original 2.13.3-files. After the log4j-*.jar files have been replaced, the Unifi Controller can be restarted.
Note. Apache Log4j 2 updates become available continuously, so broken link to download can occure, watch up the file index here for the latest release, then replace the version number.
Apache Log4j Update for Linux
To update the Apache Log4j 2.17.1 version for a Unifi Controller on Linux, you become root in a terminal shell and execute the following commands.
$ systemctl stop unifi # without systemd /etc/init.d/unifi stop $ wget https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz $ gunzip apache-log4j-2.17.1-bin.tar.gz $ tar -xf apache-log4j-2.17.1-bin.tar $ cd apache-log4j-2.17.1-bin $ cp log4j-api-2.17.1.jar log4j-core-2.17.1.jar log4j-slf4j-impl-2.17.1.jar /usr/lib/unifi/lib $ cd /usr/lib/unifi/lib $ mv log4j-api-2.13.3.jar log4j-api-2.13.3.old $ mv log4j-core-2.13.3.jar log4j-core-2.13.3.old $ mv log4j-slf4j-impl-2.13.3.jar log4j-slf4j-impl-2.13.3.old $ ln -s log4j-api-2.17.1.jar log4j-api-2.13.3.jar $ ln -s log4j-core-2.17.1.jar log4j-core-2.13.3.jar $ ln -s log4j-slf4j-impl-2.17.1.jar log4j-slf4j-impl-2.13.3.jar $ systemctl start unifi
In the /usr/lib/unifi/lib/ directory, the existing 2.13.3-files must be overwritten, symbolic links are created so that the new 2.17.1-files point to the old 2.13.3-files, the 2.13.3-files are renamed to *.old. After the log4j-*.jar files have been replaced in this way, the Unifi Controller can be started.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?
6 thoughts on “How to Fix UniFi Controller log4j vulnerability”
Thank you! That saved my ass and hours!
Have patched to the latest Unifi controller yet a scan still flags ace.jar as vulnerable :(
/usr/lib/unifi/lib/ace.jar: Java.Malware.CVE_2021_44228-9915814-6 FOUND
Tnx, the release is now 2.17.1
Tnx, but the 2.16.0 version isn’t available anymore.
You can cange it to 2.17.0 everything else works fine.