This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[CVE-2021-44228] Apache Log4j2 RCE

dawoon_lee
New Contributor II

‎12-12-2021 05:51 PM

Hello.

Our customer is running a Ruckus SmartZone (sz-100) controller.
The version of the controller is 5.1.1.0.598.


The customer asked if the SmartZone has the following this security vulnerabilities.

** Vulnerability: [CVE-2021-44228] Apache Log4j2 RCE

Thank you for your valuable answers to the above questions.

91 REPLIES 91

diego_garcia_de
Contributor III
In response to diego_garcia_de

‎12-13-2021 06:10 AM

@torge_szczepanek Thanks.. indeed those are alll the vulnerable packages.

I need to do one more test with a "hosting" server to see if the  ldap response actually gets executed (I've been looking at this issue in details for other products and, depending on the java JRE security configuration, it migth refuse to download and execute code).

Another thing I've notices is that, at least for the username, it seems to truncate it but the user-agent header can also be used as an exploit it would seems

I still need to check if any downloaded code is actually executed.

0 Kudos

tom_lebel
New Contributor II

‎12-13-2021 05:48 AM

Has Ruckus put out a public statement on this?  I can't seem to find anything on their website for it.  Can/Should we be shutting down our virtual VSze servers to protect systems?

0 Kudos

Vineet_nejwala
Moderator
Moderator
In response to tom_lebel

‎12-13-2021 05:52 AM

Hi @tom_lebel

We are expecting a response soon on this. Commscope is aware of the latest Vulnerability CVE-2021-44228. Our engineering team is currently performing the appropriate assessment on all our product lines . This is the highest priority for us and we will update our security bulletin as soon as more information is available on the same. Here is the link to our security bulletin which will be updated soon: https://support.ruckuswireless.com/security 

Best Regards

Vineet

0 Kudos

mark_pledl
Contributor
In response to tom_lebel

‎12-13-2021 05:59 AM

@tom_lebel -  there is no public statement. I am no Ruckus employee.

Can you please make a ticket to Ruckus - they will update you with information. I don't want to hand out any details without their permission.

Hope you understand!

Br,

Mark.

0 Kudos

grodog-prod
Contributor II

‎12-13-2021 03:27 PM

The RUCKUS Security Bulletin addressing Log4j is now published at https://support.ruckuswireless.com/security_bulletins/313

Allan.

Allan T. Grohe Jr.
==
Knowledge Management Program Director
for RUCKUS Customer Services & Support
0 Kudos
Copyright © 2024 Khoros, LLC