English | Tags | UNBLOG Tutorials

The UniFi Controller software uses the Java Log4j framework for logging, currently Log4j 2.13.3 is used by UniFi Controller (“UniFi Network Application”) version 6.5.53.

This post shows how to update to Apache Log4j 2.17.0 by replacing the log4j-*.jar files using the Unifi Controller Software. The workaround described here has been successfully implemented with the Unifi Controller software version 6.0.23, 6.0.45 and 6.5.53.

Vulnerability CVE-2021-44228

The Log4j team has been made aware of a security vulnerability, CVE-2021-44228, that has been addressed in Log4j 2.12.2 and Log4j 2.17.1. Log4j’s JNDI (Java Naming and Directory Interface) support has not restricted what names could be resolved. Some protocols are unsafe or can allow remote code execution.

Mitigation

In version 2.12.2 Log4j disables access to JNDI by default. Usage of JNDI in configuration now need to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly. Also, Log4j now limits the protocols by default to only java, ldap, and ldaps and limits the ldap protocols to only accessing Java primitive objects. Hosts other than the local host need to be explicitly allowed.

Apache Log4j 2 Update UniFi on Windows

To install the Log4j 2.17.1 version for a Unifi Controller on Windows 10 or Windows Server 2019 (Update), open a command prompt as administrator to run the following commands. Basically the commands are for any Windows version, instead of curl and tar you have to use a browser for download and Winzip to unzip.

cd %userprofile%\downloads
curl -O https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.zip
tar -xf apache-log4j-2.17.1-bin.zip
cd apache-log4j-2.17.1-bin
copy log4j-api-2.17.1.jar "%UserProfile%\Ubiquiti UniFi\lib"
copy log4j-core-2.17.1.jar "%UserProfile%\Ubiquiti UniFi\lib"
copy log4j-slf4j-impl-2.17.1.jar "%UserProfile%\Ubiquiti UniFi\lib"
cd "%UserProfile%\Ubiquiti UniFi\"
java -jar lib\ace.jar stopsvc
cd lib
ren log4j-api-2.13.3.jar log4j-api-2.13.3.old
ren log4j-core-2.13.3.jar log4j-core-2.13.3.old
ren log4j-slf4j-impl-2.13.3.jar log4j-slf4j-impl-2.13.3.old
mklink log4j-api-2.13.3.jar log4j-api-2.17.1.jar
mklink log4j-core-2.13.3.jar log4j-core-2.17.1.jar
mklink log4j-slf4j-impl-2.13.3.jar log4j-slf4j-impl-2.17.1.jar
cd ..
java -jar lib\ace.jar startsvc

In the _unifi_root_/lib/ directory, the existing 2.13.3-files must be overwritten, symbolic links are created so that the 2.17.1-files point to the original 2.13.3-files. After the log4j-*.jar files have been replaced, the Unifi Controller can be restarted.

Note. Apache Log4j 2 updates become available continuously, so broken link to download can occure, watch up the file index here for the latest release, then replace the version number.

Apache Log4j Update UniFi on Linux

To update the Apache Log4j 2.17.1 version for a Unifi Controller on Linux, you become root in a terminal shell and execute the following commands.

$ systemctl stop unifi
# without systemd /etc/init.d/unifi stop
$ wget https://dlcdn.apache.org/logging/log4j/2.17.1/apache-log4j-2.17.1-bin.tar.gz
$ gunzip apache-log4j-2.17.1-bin.tar.gz
$ tar -xf apache-log4j-2.17.1-bin.tar
$ cd apache-log4j-2.17.1-bin
$ cp log4j-api-2.17.1.jar log4j-core-2.17.1.jar log4j-slf4j-impl-2.17.1.jar /usr/lib/unifi/lib
$ cd /usr/lib/unifi/lib
$ mv log4j-api-2.13.3.jar log4j-api-2.13.3.old
$ mv log4j-core-2.13.3.jar log4j-core-2.13.3.old
$ mv log4j-slf4j-impl-2.13.3.jar log4j-slf4j-impl-2.13.3.old
$ ln -s log4j-api-2.17.1.jar log4j-api-2.13.3.jar
$ ln -s log4j-core-2.17.1.jar log4j-core-2.13.3.jar
$ ln -s log4j-slf4j-impl-2.17.1.jar log4j-slf4j-impl-2.13.3.jar
$ systemctl start unifi

In the /usr/lib/unifi/lib/ directory, the existing 2.13.3-files must be overwritten, symbolic links are created so that the new 2.17.1-files point to the old 2.13.3-files, the 2.13.3-files are renamed to *.old. After the log4j-*.jar files have been replaced in this way, the Unifi Controller can be started.

Open Command Prompt here from selected folder on Windows 11

On Windows 11 it is more easy, in windows explorer press Shift+F10 the context menu opens with the command prompt, which opens in the selected directory.

Command Prompt operation

cmd.exe interacts with the user through a command-line interface. On Windows, this interface is implemented through the Win32 console. With cmd.exe may take advantage of features available to native programs of its own platform. For example. Windows it can use real pipes in command pipelines, allowing both sides of the pipeline to run concurrently. As a result, it is possible to redirect the standard error stream. (COMMAND.COM uses temporary files, and runs the two sides serially, one after the other.)

Multiple commands can be processed in a single command line using the command separator &&.

When using this separator in the Windows cmd.exe, each command must complete successfully for the following commands to execute. For example:

C:>Command1 && Command2 && Command3

In the above example, Command B will only execute if Command A completes successfully. The execution of Command C depends on the successful completion of Command B. To process subsequent commands even if the previous command produces an error, the command separator & should be used. For example:

C:>Command1 & Command2 & Command3

UNBLOG Tutorials

How to Fix UniFi Controller log4j vulnerability