A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution
|net-wireless/unifi on all architectures
Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi APs.
A bundled version of log4j could facilitate remote code execution. Please review the CVE identifier referenced below for details.
An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
There is no known workaround at this time.
All Ubiquity UniFi users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-wireless/unifi-6.5.55"
October 26, 2023
October 26, 2023: 1