Solution Apache Log4j Vulnerability in Omada Controller - Updated on May 18, 2022 [Case Closed]
Hi All,
TP-Link is aware of the vulnerability in Apache Log4j used in Omada Controller (CVE-2021-44228: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints).
Affected Products/Services:
Omada Cloud Services
Omada Controller (Windows)
Omada Controller (Linux)
Omada Controller OC200
Omada Controller OC300
Omada Discovery Utility
Kind note: Pharos Control is not affected.
Available Solutions:
So far, the TP-Link team has fixed the vulnerability on the cloud platforms, including Omada Cloud-Access.
For Local Omada Controllers, you may install the Beta firmware below for an emergency solution.
Omada SDN Controller:
Omada_Controller_V5.0.15_Windows (Beta)
Omada_Controller_V4.4.6_Linux_x64.tar (Beta)
Omada_Controller_V4.4.6_Linux_x64.deb (Beta)
OC200(UN)_V1_1.14.1_20211213 (Beta) -- Built-in Omada Controller v5.0.21
OC300(UN)_V1_1.2.4_20211213 (Beta) -- Built-in Omada Controller v4.4.6
Omada Controller V3.2.14:
Omada_Controller_V3.2.15_Windows_32bit (Beta)
Omada_Controller_V3.2.15_Windows_64bit (Beta)
Omada_Controller_V3.2.15_Linux_x64.tar (Beta)
Omada_Controller_V3.2.15_Linux_x64.deb (Beta)
OC200(UN)_V1_1.2.5_Build 20211214 (Beta)
Note: The Beta firmware provided above has updated log4j version to 2.15.0 to fix the original vulnerability (CVE-2021-44228).
Here are the official releases for Omada SDN Controllers to fix the vulnerability:
Omada_Controller_V4.4.8_Linux_x64.tar Release Note >
Omada_Controller_V4.4.8_Linux_x64.deb Release Note >
Omada_Controller_V5.0.30_Windows Release Note >
Omada_Controller_V5.0.30_Linux_x64.tar Release Note >
Omada_Controller_V5.0.30_Linux_x64.deb Release Note >
OC200(UN)_V1_1.14.3 Build 20220112 Release Note > Built-in Omada Controller v5.0.30
OC300(UN)_V1_1.7.1 Build 20220112 Release Note > Built-in Omada Controller v5.0.30
Kind Note:
1. The Official firmware provided above has updated log4j version to 2.16.0 to fix the followed vulnerability (CVE-2021-45046).
2. Omada Controllers or Services are NOT affected by the last vulnerability (CVE-2021-45105).
But TP-Link still released a new official firmware to upgrade log4j version to 2.17.0.
The following Omada SDN Controller v5 has upgraded log4j version to 2.17.0:
Omada_Controller_v5.1.7_Linux_x64.tar.gz Full Release Note >
Omada_Controller_v5.1.7_Linux_x64.deb Full Release Note >
Omada_Controller_v5.1.7_Windows Full Release Note >
OC200(UN)_V1_1.15.2_20220323 Full Release Note > Built-in Omada Controller v5.1.7
OC200(UN)_V2_2.1.2_20220323 Full Release Note > Built-in Omada Controller v5.1.7
OC300(UN)_V1_1.8.2 Build 20220411 Full Release Note > Built-in Omada Controller v5.1.8
The following Omada Controller v3 has upgraded log4j version to 2.17.0:
Omada_Controller_V3.2.16_Windows_32bit Release Note >
Omada_Controller_v3.2.16_Windows_64bit Release Note >
Omada_Controller_v3.2.16_Linux_x64.deb Release Note >
Omada_Controller_V3.2.16_Linux_x64.tar Release Note >
OC200(UN)_V1_1.2.6_Build 20211230 Release Note >
The following Omada Discovery Utility version has upgraded log4j version to 2.16.0:
Omada Discovery Utility 5.0.8 Release Note >
> upgraded log4j version to 2.16.0 to avoid remote code execution vulnerability in Apache log4j2.
This solution post has been updated completely by May 18, 2022.
Thank you for your attention!
References:
Solution Updated Records:
- Updated on 15th December 2021:
1. Add the Beta firmware for old Omada Controller v3.2.14.
2. Add the official firmware for Omada Controller v5.0.27 Windows.
Note: If you are using older Omada Controller, and wondering whether you can upgrade SDN Controller, you may refer to the guide below for a quick answer.
Frequently asked questions of Omada SDN solution related to upgrading and management
- Updated on 16 December 2021:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. So the coming official firmware will update log4j version to 2.16.0 (CVE-2021-45046).
- Updated on 17 December 2021:
Add the official firmware for Omada Software Controller v4/v5, which updated log4j version to 2.16.0 (CVE-2021-45046)
- Updated on 21 December 2021:
Add the official firmware for Omada SDN Controller OC200/OC300, which updated log4j version to 2.16.0 (CVE-2021-45046)
- Updated on 22 December 2021:
Add a Kind Note:
3. Omada Controllers or Services are NOT affected by the last vulnerability (CVE-2021-45105).
But TP-Link will still release a new official firmware soon to upgrade log4j version to 2.17.0.
4. The official firmware for Omada Controller v3.2.14 will also upgrade log4j version to 2.17.0, which will be released afterwards.
- Updated on 9 January 2022:
Add official firmware for Omada Controller v5.0.29 (Linux) and Omada Discovery Utility v5.0.8, which updated log4j version to 2.16.0 (CVE-2021-45046).
- Updated on 26 January 2022:
Add official firmware for Omada Software Controller v3.2.16, which updated log4j version to 2.17.0.
- Updated on 10 February 2022:
Add official firmware for Omada Hardware Controller OC200 with built-in Controller v3.2.16, which updated log4j version to 2.17.0.
Replaced the Omada Controller v5.0.29 firmware with the Controller v5.0.30 (it's the later version which has fixed some issues came from v5.0.29).
- Updated on 7 May 2022:
Add official firmware for Omada Software Controller v5.1.7 and OC200 with built-in Controller v5.1.7, which updated log4j version to 2.17.0.
- Updated on 18 May 2022:
Add official firmware for OC300 with built-in Controller v5.1.8, which updated log4j version to 2.17.0.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Is there an updated list of firewall rules for the 4.x.x controller vs the 5.x.x controller?
Specifically, between the controller and EAPs?
Upon upgrading from 4.4.6 to 5.0.15 or 5.0.27 the EAPs get stuck at the "ADOPT" stage.
I don't see any firewall blocks.
Upon reverting the controller VM back to the snapshot prior to the upgrade, all my EAPs adopt successfully and everything works perfect.
- Copy Link
- Report Inappropriate Content
More than likely you're running into the Adopt/Provisioning loop bug that cropped up in 5.0.15+... which I guess must not be fully fixed in 5.0.27.
Contact support. They can take your current running file, backup, and logs and fix the issue in the database for you. They send you a fixed backup file you import and it fixes the problem. Open a ticket w/ support. You'll need to send them the following info:
1. What's the previous controller version you upgraded the controller v5.0.15 from?
2. A backup file of your controller that exported before the upgrade.
3. The Running Log, it can be exported under Settings -> Services -> Export Data.
See: https://community.tp-link.com/en/business/forum/topic/508622
- Copy Link
- Report Inappropriate Content
Awesome! Thanks so much!
That's exactly what's happening.
I read the guide over and over and couldn't see any changes.
This was right when 5.x.x came out and I forgot to follow up after more people had updated.
- Copy Link
- Report Inappropriate Content
I see the firmware update shown in the post, but after much searching around, i don't see any way to apply it. Using the UI of the OC200, it says there is no updated firmware, probably because this is still a beta release. But haven't found another way to do this. It seems a lot of folks here have found the page that makes this obvious to do. any pointers to that doc?
- Copy Link
- Report Inappropriate Content
@technovangelist Settings -> Maintenance and then at the bottom there is a option for "Manual Upgrade" where you can select the file that you downloaded.
- Copy Link
- Report Inappropriate Content
That is definitely what i would expect, but there is no such option there
- Copy Link
- Report Inappropriate Content
@technovangelist Hmm, I am looking at my OC200 web interface right now. I haven't updated to the beta yet, so this is still from the latest stable release.
- Copy Link
- Report Inappropriate Content
@technovangelist Ahh, i see the problem. When logging in via https://omada.tplinkcloud.com/#controller there is no such option. But when opening the webpage at the ip address of the controller, then you see that option
- Copy Link
- Report Inappropriate Content
Dear @WirelessForEver,
WirelessForEver wrote
Upon upgrading from 4.4.6 to 5.0.15 or 5.0.27 the EAPs get stuck at the "ADOPT" stage.
Follow this post, your case has been escalated. Please kindly reply to the support email for further follow-up, the support engineer will help you effectively. Thank you for your cooperation and patience!
- Copy Link
- Report Inappropriate Content
Fae wrote
Dear @WirelessForEver,
WirelessForEver wrote
Upon upgrading from 4.4.6 to 5.0.15 or 5.0.27 the EAPs get stuck at the "ADOPT" stage.
Follow this post, your case has been escalated. Please kindly reply to the support email for further follow-up, the support engineer will help you effectively. Thank you for your cooperation and patience!
Will do. Happy to help.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 10
Views: 40048
Replies: 66