Hi,
does anyone know if Linuxserver.io Containers use log4j and might be affected by the circulating exploits?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
I’m currently using SWAG and Nextcloud with NGINX, but I’ve disabled outside network access while clarifying this issue.
Thanks for any info!
Best regards
The containers that use java may be affected by this exploit. The only one to our knowledge is Unifi and we released a patch for that image last night.
Ok, thanks for the info.
For anyone interested: I did some research, had a look at the nginx access log and came upon some calls. This was also helpful.
I created following jail for fail2ban to directly block these calls:
[Definition]
failregex=^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"\$\{jndi:(ldap[s]?|rmi|dns)://?.*"$
^.*\$\{jndi:(ldap[s]?|rmi|dns)://?<ADDR>\:.*$
ignoreregex =
Might be useful for anyone using SWAG with Fail2Ban or just plain Fail2Ban
Is there any possibility to mitigate this attack on unifi-controller 6.0.45?
This is the last controller version that supports the AP’s I am running because Ubiquiti decided these are EOL and not supported any more in the newer controller versions.
It should be possible to modify the image and pass ‐Dlog4j2.formatMsgNoLookups=true as a parameter to the JVM?
Here’s our mitigation: CVE-2021-44228 by TheSpad · Pull Request #106 · linuxserver/docker-unifi-controller · GitHub
You can apply it with: Customizing our Containers | LinuxServer.io
Wow. That was extremely easy. I just created a shell script in /config/custom-cont-init.d/ which modifies the line using sed.
sed -i 's/-Xmx"${MEM_LIMIT}" -jar \/usr\/lib\/unifi\/lib\/ace.jar/-Xmx"${MEM_LIMIT}" -Dlog4j2.formatMsgNoLookups=true -jar \/usr\/lib\/unifi\/lib\/ace.jar/' /etc/services.d/unifi/run
Thank you.
Glad to hear it worked
Has Calibre-web been evaluated?
Have we considered integrating the ModSecurity WAF into SWAG?
SpiderLabs/ModSecurity-nginx: ModSecurity v3 Nginx Connector (github.com)
Mitigating the log4j Vulnerability (CVE-2021-44228) with NGINX - NGINX
All relevant info is here log4j Vulnerability | Info :: LinuxServer.io
No plans at this point to add modsecurity to the swag container. (Not that I think we can because I can’t seem to find an alpine package for it)