This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[CVE-2021-44228] Apache Log4j2 RCE

dawoon_lee
New Contributor II

‎12-12-2021 05:51 PM

Hello.

Our customer is running a Ruckus SmartZone (sz-100) controller.
The version of the controller is 5.1.1.0.598.


The customer asked if the SmartZone has the following this security vulnerabilities.

** Vulnerability: [CVE-2021-44228] Apache Log4j2 RCE

Thank you for your valuable answers to the above questions.

91 REPLIES 91

Vineet_nejwala
Moderator
Moderator
In response to Vineet_nejwala

‎12-13-2021 05:47 PM

@dawoon_lee

@michael_thompson_e3bsvnhy1spi9 

@diego_garcia_del_rio 

@tom_lebel 

Please find our official response and next action:

https://support.ruckuswireless.com/security_bulletins/313

Best Regards

Vineet 

0 Kudos

mark_pledl
Contributor
In response to Vineet_nejwala

‎12-20-2021 02:52 AM

@vineet_nejawala @allan_grohe 

can you please confirm that log4j2 is now version 2.17 (or newer). I got that request from a customer as 2.16 has a CVSS score from 7.5 regarding DoS. Thanks in advance. ( I am sorry but I do not find details in the link and these customers want to know it exactly)

Thanks in advance.

0 Kudos

Vineet_nejwala
Moderator
Moderator
In response to Vineet_nejwala

‎12-20-2021 08:47 PM

@mark_pledl

If we are concerned for CVE-2021-45105 let me confirm we are not impacted by it as SZ doesn’t use Context Map Lookup.

Best Regards

Vineet

diego_garcia_de
Contributor III

‎12-12-2021 08:40 PM

Hi Vineet. I have an open case 01288986 asking engineering about the same question

Ai can't believe I was the first on to open such case, but they way the ticket is being dealt with seems as if there is no coordinated effort. We're past 72 hours after the initial discovery and I would have expected at an absolute minimum an announcement on the website or mailing list. 

Also, at least a basic set of responses such as product x is using /not using log4j version y with jdk / jre version Z. At an absolute minimum, some basic communication.

My very first tests dont seem to indicate that the system is exploitable... (Referring to SZ 5.2.1) but these were basic fuzzing tests. 

Vineet_nejwala
Moderator
Moderator
In response to diego_garcia_de

‎12-12-2021 09:19 PM

@diego_garcia_del_rio

We are sorry for the delay but I see the TSE assisting you has also raised same concern with engineering and awaiting their response. I would update asap once we have a response from our engineering.

Best Regards

Vineet

 

Copyright © 2024 Khoros, LLC