cancel
Showing results for 
Search instead for 
Did you mean: 

Log4shell安全漏洞和建议(所有AP,Zonedirector, Unleashed, ICX, SPoT等不受影响)

nick_nie
New Contributor

CVE-2021-44228:Apache Log4j 漏洞描述:在 Apache Log4j 日志记录库中从版本 2.0 到 2.14.1 中发现了一个漏洞。利用此库的产品容易受到远程执行代码漏洞的影响,远程攻击者可以利用此漏洞完全控制受影响的设备。有关此漏洞的更多详细信息,请参阅 https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

Ruckus 不受影响的产品: 所有AP, ZoneDirector, Unleashed, ICX交换机, SPoT/vSPoT, 和RUCKUS Cloud.

受影响的产品如下, 我们将发布补丁修复相关问题。具体参考 https://support.ruckuswireless.com/security_bulletins/313

3 REPLIES 3

nick_nie
New Contributor

12月16日更新

1. Cloudpath, RND, SZ-Dataplane也不受该漏洞影响

2. 受影响的Smartzone 5.1~6.0的KSP补丁计划本周内提供。

  • SZ 6.0 KSP 12/15/2021

  • SZ 5.2.2 P1 and 5.2.2 KSPs12/16/2021 

  • SZ 5.1 and 5.0 KSPs 12/17/2021

在此之前,请大家可以设置Manage Access限制可以访问控制器的源地址范围。

具体参见PDF Version

nick_nie
New Contributor

有人问起来SmartZone 3.6.2等为什么不受影响?原因是3.6.2 使用的是 1.x 的 log4j

nick_nie
New Contributor

KSP 补丁和更新的安全公告 v1.3 请参考新的链接:Log4j - RUCKUS Technical Support Response Center | Ruckus Wireless Support。 以后此页面将作为Log4j的一站式信息资源。

另外对应受影响的Smartzone系列的KSP补丁也已经可以下载了。请下载对应的KSP补丁,并且按照SZ and vSZ - Steps to Implement CVE-2021-44228 log4j2 Patch | Knowledge Base | Ruckus Wireless Suppo...描述的步骤进行操作。

请注意不同版本有不同的KSP

Filenames:

1. 5.2及以上版本:ER10935_fix_log4j_856364.ksp
2. 5.2 以下版本:ER10935_fix_log4j_before_5_2_856366.ksp   

操作步骤如下:

Resolution

Please refer to following steps to apply KSP for 5.x and above: 

Note: The downloaded file will be in zip format. Please make sure to unzip the downloaded file first. The resultant file after unzipping should end with .ksp

Step 1: Cluster Backup is always required before apply any KSP. 
 
       
1. Navigate to Administration >> Backup and Restore
       2. Under "Cluster" tab, click "Back up Entire Cluster" and Select Yes
       3. Once the backup is taken successfully, proceed to Step 2

Step 2: Upload the script to the v/SZ node from GUI:

  1. Administration -> Diagnostics
  2. Click on the diagnostic scripts tab from the left-hand menu
  3. Click the browse button under Upload diagnostic script to vSZ , select the KSP file attached, and upload it.

Upon successful upload, the script ("script name ") will be visible in the section below the "upload" section.

Step 3: Execute the script on the vSZ node's CLI:

1. Connect to the SCG CLI, enter the "enable" and later "patches" mode. Below is an example of the script to execute on 5.2(Please check the correct KSP before applying it as per your code)
 

Ruckus> en
Password: ********

Ruckus# patches

Ruckus(patches)# apply ER10935_fix_log4j_856364
Start Patching the System...

INFO : Using a default root directory : /tmp/tmp.HPCRanSP8i

/opt/ruckuswireless/wsg/apps/lib/log4j-core-2.11.1.jar exists. Replace this file.
/opt/ruckuswireless/wsg/apps/lib/log4j-core-2.8.2.jar exists. Replace this file.
/opt/ruckuswireless/3rdparty/elasticsearch-5.4.2/lib/log4j-core-2.8.2.jar exists. Replace this file.
Done.
Please restart services to make the changes take effect.

Ruckus(patches)# exit
Ruckus# service restart