cancel
Showing results for 
Search instead for 
Did you mean: 

[CVE-2021-44228] Apache Log4j2 RCE

dawoon_lee
New Contributor II

Hello.

Our customer is running a Ruckus SmartZone (sz-100) controller.
The version of the controller is 5.1.1.0.598.


The customer asked if the SmartZone has the following this security vulnerabilities.

** Vulnerability: [CVE-2021-44228] Apache Log4j2 RCE

Thank you for your valuable answers to the above questions.

91 REPLIES 91

@torge_szczepanek Thanks.. indeed those are alll the vulnerable packages.

I need to do one more test with a "hosting" server to see if the  ldap response actually gets executed (I've been looking at this issue in details for other products and, depending on the java JRE security configuration, it migth refuse to download and execute code).

Another thing I've notices is that, at least for the username, it seems to truncate it but the user-agent header can also be used as an exploit it would seems

I still need to check if any downloaded code is actually executed.

tom_lebel
New Contributor II

Has Ruckus put out a public statement on this?  I can't seem to find anything on their website for it.  Can/Should we be shutting down our virtual VSze servers to protect systems?

Hi @tom_lebel

We are expecting a response soon on this. Commscope is aware of the latest Vulnerability CVE-2021-44228. Our engineering team is currently performing the appropriate assessment on all our product lines . This is the highest priority for us and we will update our security bulletin as soon as more information is available on the same. Here is the link to our security bulletin which will be updated soon: https://support.ruckuswireless.com/security 

Best Regards

Vineet

@tom_lebel -  there is no public statement. I am no Ruckus employee.

Can you please make a ticket to Ruckus - they will update you with information. I don't want to hand out any details without their permission.

Hope you understand!

Br,

Mark.

grodog-prod
Contributor II

The RUCKUS Security Bulletin addressing Log4j is now published at https://support.ruckuswireless.com/security_bulletins/313

Allan.

Allan T. Grohe Jr.
==
Knowledge Management Program Director
for RUCKUS Customer Services & Support