12-12-2021 05:51 PM
Hello.
Our customer is running a Ruckus SmartZone (sz-100) controller.
The version of the controller is 5.1.1.0.598.
The customer asked if the SmartZone has the following this security vulnerabilities.
** Vulnerability: [CVE-2021-44228] Apache Log4j2 RCE
Thank you for your valuable answers to the above questions.
12-14-2021 01:26 AM
Dear Vineet,
it would be cool, if you can clarify for which versions we will get the ksp? From my expiriance it will be only latest version of the development patch.
My guess is that it will be only (5.1.2.0.302 and former might be skipped as Fragattack unsafe) 5.2.1.0.515 and 5.2.2.0.1161 and 6.0.0.0.1331 - as 5.2.1.0.515 has a security leak too it might be only 5.2.2.0.1161 and 6.0.0.0.1331. And of course all active FIPS versions.
Thanks in advance,
Br,
Mark.
12-14-2021 01:32 AM
Mark so far we are testing on code 5.x and all above including FIPS version too, ksp testing has started and we are expecting the resolution (ksp) out soon for our customers though we are yet to hear from engineering on what codes we are releasing the official patch.
Best Regards
Vineet
12-14-2021 01:37 AM
Thanks for quick response Vineet. Sounds good! So no additional upgrade hassle needed in that case. :-). Thanks for your hard work.
Br,
Mark.
12-14-2021 04:56 AM
Fully agreee. My comment was more directed at ruckus given the brevity of the disclosure and whether there is _ANYTHING_ (short of shutting down the controller) we can do to prevent exploitation.
To be honest, I would be _slightly_ less worried if I can contain the possible exploit paths to only through the AP (lets call it in-band) as, while these are public, in my case, they dont have the full internet open towards it.
thanks!
12-14-2021 09:02 AM
Also, given the criticality of the incident it would be good for the advisory to be available without a support account.
In addition to publishing our Security Bulletins on the Support Portal, we do replicate them on the CommScope Security Page at
https://www.commscope.com/security-bulletins which is public and does not require a login to access.
Allan.