Product Security Update
PRODUCT SECURITY UPDATE
Affecting Ubiquiti UniFi Controller / Cloud Key Products
CVE-2021-44228 Log4j Java Library Vulnerability:
Over the weekend a software vulnerability with a high impact was discovered in a java programming language logging library used by many different systems and products around the world. In the last 48 hours more and more automated scanning is taking place on internet exposed IP addresses looking for vulnerable systems.
The Unifi controller software for managing APs, Switches and Routers is affected by this issue as it uses the java language and the Log4j logging library.
Ubiquti Networks have released an updated version of their Unifi network controller (6.5.54) for those using the latest 6.x series on cloud keys and stand-alone servers. If you are on an older version of the controller software (eg: 5.14.23) due to end-of-life (EOL) hardware or other compatibility issues you should refer to the below links on mitigating the problem and make a risk assessment on the exposure of any hosted controllers you may run on behalf of your customers, or cloud keys installed on customer premises.
If you use outsourced IT support resources please contact them if you need outside assistance to manage the risk assessment and updates. Remember to always export a controller backup file before performing any updates.
Ubiquiti Specific Links
- Ubiquiti Community Thread on Updates and Mitigations for the UniFi Network Controller
- Ubiquiti Community Thread on Updates and Mitigations for the UniFi Video Controller
Generally Accessible News Articles:
Technical Information About The Vulnerability: