Apache Log4j Vulnerability in Omada Controller - Updated on May 18, 2022 [Case Closed]

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Apache Log4j Vulnerability in Omada Controller - Updated on May 18, 2022 [Case Closed]

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
66 Reply
Re:Apache Log4j Vulnerability in Omada Controller - Updated on 17 December 2021
2021-12-19 02:03:37

@WirelessForEver  - Merry Christmas... Log4j is the gift that just keeps on giving!

  1  
  1  
#54
Options
Log4j 2.17.0 | CVE-2021-45105
2021-12-19 20:41:13

Looks like a new version is necessary:

 

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

 

BTW: Any update on omada 5 for Linux?

  2  
  2  
#55
Options
Re:Apache Log4j Vulnerability in Omada Controller - Updated on 17 December 2021
2021-12-19 21:23:54

@darpamonkey 

You should update to the first one OC200(UN)_V1_1.14.1_20211213 (Beta) -- Built-in Omada Controller v5.0.21, because you are using SDN v4 Controller.The other is for v3 Controller version.

  1  
  1  
#56
Options
Re:[Solution] Apache Log4j Vulnerability in Omada Controller
2021-12-20 02:02:38

Dear @JustAnotherDave,

 

JustAnotherDave wrote

@Fae First I want to give you a huge THANK YOU for being so responsive and forthcoming with information.  It's been such a relief.  I do have another follow-up question for you: my OC300 controller version is 4.3.5, and the firmware is indicating 1.1.0 build 20210406 Rel.58776.  Do you anticipate that I will be able to update directly to the latest patch when it is available?

 

You are most welcome. Regarding your question, yes, you can update your OC300 1.1.0 to the latest patch when it's available.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  2  
  2  
#57
Options
Re:Apache Log4j Vulnerability in Omada Controller - Updated on 17 December 2021
2021-12-20 21:33:16

@Fae I just wanted to add my additional thanks to you and team for your prompt attention to this matter.

 

From catching up on the most recent posts it appears that 2.17.0 is the most current version required to address all currently known Log4j CVEs or have I read this incorrectly?

 

I'm running the Beta OC200 SDN firmware with its revision to 2.15.0. Should we expect the release version to include 2.17.0 or anticipate another Beta cycle?

 

Kind regards,

 

S.

  1  
  1  
#58
Options
Re:Apache Log4j Vulnerability in Omada Controller - Updated on 17 December 2021
2021-12-22 08:17:56

Dear @st3v3np, @buntspext, @WirelessForEver,

 

st3v3np wrote

From catching up on the most recent posts it appears that 2.17.0 is the most current version required to address all currently known Log4j CVEs or have I read this incorrectly?

I'm running the Beta OC200 SDN firmware with its revision to 2.15.0. Should we expect the release version to include 2.17.0 or anticipate another Beta cycle?

 

Thank you so much for your valued feedback!

 

The Omada Controllers or Services are not affected by the last Log4j CVE-2021-45105. But TP-Link will still release a new official firmware soon to upgrade log4j version to 2.17.0.

 

BTW, the official firmware for Omada SDN Controller has been provided in this solution post yesterday, which has upgraded the log4j to 2.16.0, please take your time for an upgrade.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  3  
  3  
#60
Options
Re:Apache Log4j Vulnerability in Omada Controller - Updated on 22 December 2021
2021-12-29 15:57:41

Yesterday I updated two OC200 with the new firmware.

The first installed and rebooted as planned.

The second OC200 get stuck in a bootloop, i coludn't even ping it. After restart, the bootloop stays.

Both controllers have similar configuration. Only difference is the power source: the first OC200 was only powered from PoE, the second from PoE and USB (5V/3A). Could this cause problems?

My solution was to start the controller in recovery mode (press "reset" while powering on), open 0.253 and install the new firmware again. I don't use the USB Adapter anymore.

After the installation it boots and all the config was still there.

Cheers!
  0  
  0  
#64
Options
Re:Apache Log4j Vulnerability in Omada Controller - Updated on 22 December 2021
2022-01-03 02:53:29

@Fae 

 

could you explain why oc200oc300 firmware was upgraded to a "beta" version 5.0.29 to fix the vulnerability? 
 

If the Linux version was fixed with 4.4.8 version why not to let to upgrade to that for the hardware controllers. I've seen too many post that things are not getting great after the upgrade and v5 still seems raw. Will there be a 4.4.8 with a firmware update for the controllers? 

  0  
  0  
#66
Options
Re:Apache Log4j Vulnerability in Omada Controller - Updated on 9 January 2022
2022-01-23 16:34:02 - last edited 2022-01-23 18:27:31

@Fae 

 

My OC200 Omada Controller upgrade failed twice

The 1st upgrade from 4.4.4  to 4.4.6 and the 2nd upgrade from 4.4.4 to 5.0.30

In both upgrade I got the Downloading window and after that the Rebooting window, when the rebooting finished the Omada Controller was OFFLINE.

I was able to recover the Omada Controller in both cases with the following procedure going back to firmware version 4.4.4

https://www.tp-link.com/us/support/faq/3114/  

  0  
  0  
#67
Options
Re:Apache Log4j Vulnerability in Omada Controller - Updated on 9 January 2022
2022-01-24 06:38:43

Dear @Moyshka,

 

Moyshka wrote

My OC200 Omada Controller upgrade failed twice

The 1st upgrade from 4.4.4  to 4.4.6 and the 2nd upgrade from 4.4.4 to 5.0.30

In both upgrade I got the Downloading window and after that the Rebooting window, when the rebooting finished the Omada Controller was OFFLINE.

I was able to recover the Omada Controller in both cases with the following procedure going back to firmware version 4.4.4

https://www.tp-link.com/us/support/faq/3114/  

 

Sorry to hear that you have trouble with the upgrade. I've followed up with your case in this post.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#68
Options