A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution
Package | net-wireless/unifi on all architectures |
---|---|
Affected versions | < 6.5.55 |
Unaffected versions | >= 6.5.55 |
Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi APs.
A bundled version of log4j could facilitate remote code execution. Please review the CVE identifier referenced below for details.
An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
There is no known workaround at this time.
All Ubiquity UniFi users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-wireless/unifi-6.5.55"
Release date
October 26, 2023
Latest revision
October 26, 2023: 1
Severity
high
Exploitable
remote
Bugzilla entries