Mitigating log4j vulnerabilities on EOL UniFi(-video) services

 Legacy, Linux, Software  Comments Off on Mitigating log4j vulnerabilities on EOL UniFi(-video) services
Jan 102022
 

Official fixes for UniFi Network Application came in 6.5.54 (CVE-2021-44228) & 6.5.55 (CVE-2021-45046).
UniFi Video is EOL and will not receive updates.

If there is an older version used for some reason, it’s up to the server administrator to update required jar-files.

This is tested with unifi-video 3.10.13 & unifi 5.14.23-13880-1, running on Debian 11.

unifi (5.14.23-13880-1)

Download log4j v2.12.4 (last version supporting Java 7) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.12.4/apache-log4j-2.12.4-bin.tar.gz)

Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.12.4.jar -> /usr/lib/unifi/lib/log4j-api-2.12.1.jar
log4j-core-2.12.4.jar -> /usr/lib/unifi/lib/log4j-core-2.12.1.jar
log4j-slf4j-impl-2.12.4.jar -> /usr/lib/unifi/lib/log4j-slf4j-impl-2.12.1.jar

Restart unifi -service.

unifi-video (3.10.13)

Download log4j v2.3.2 (last version supporting Java 6) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.3.2/apache-log4j-2.3.2-bin.tar.gz)

Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-api-2.1.jar
log4j-core-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-core-2.1.jar
log4j-slf4j-impl-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-slf4j-impl-2.1.jar

Restart unifi-video -service.

Jun 222015
 

If you get hit with “RTNETLINK answers: Cannot allocate memory” when trying to add IPv6 default gateway back after losing all IPv6 -connectivity, raise net.ipv6.route.max_size.

The defaults (on my machines) were quite small compared to IPv4:

CentOS 7.0:
# sysctl net.ipv4.route.max_size
net.ipv4.route.max_size = 2147483647
# sysctl net.ipv6.route.max_size
net.ipv6.route.max_size = 4096

CentOS 7.1:
# sysctl net.ipv4.route.max_size
net.ipv4.route.max_size = 2147483647
# sysctl net.ipv6.route.max_size
net.ipv6.route.max_size = 16384

Debian 7.8/8.1:
# sysctl net.ipv4.route.max_size
net.ipv4.route.max_size = 2147483647
# sysctl net.ipv6.route.max_size
net.ipv6.route.max_size = 4096

Nov 202014
 

Quick reminder how to recompile Bind9 with MySQL SDB:

  • Prepare build environment
apt-get install build-essential fakeroot dpkg-dev devscripts
cd /usr/src/
apt-get build-dep bind9
  • Get source
apt-get source bind9/wheezy
  • Copy SDB files into place

mysql-bind$: cp mysqldb.h ../bind9-9.8.4.dfsg.P1/bin/named/include/
mysql-bind$: cp mysqldb.c ../bind9-9.8.4.dfsg.P1/bin/named/

  • Configure (read instructions from the web-page), quick diffs below
bind9-9.8.4.dfsg.P1/bin/named/main.c:
...
#include <dlz/dlz_dlopen_driver.h>
+#include <named/mysqldb.h>
...
+ mysqldb_init();
+
ns_server_create(ns_g_mctx, &ns_g_server);
...
ns_server_destroy(&ns_g_server);

+ mysqldb_clear();
+
ns_builtin_deinit();
...
bind9-9.8.4.dfsg.P1/bin/named/Makefile.in:
...
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
-DBDRIVER_INCLUDES =
-DBDRIVER_LIBS =
+DBDRIVER_OBJS = mysqldb.@O@
+DBDRIVER_SRCS = mysqldb.c
+DBDRIVER_INCLUDES = -I/usr/include/mysql -fno-omit-frame-pointer -g -pipe -Wno-uninitialized -g -static-libgcc -fno-omit-frame-pointer -fno-strict-aliasing
+DBDRIVER_LIBS = -L/usr/lib -lmysqlclient
...
  • Update changelog (dch) and rebuild package (debuild -us -uc)
Nov 202014
 

As a reminder, how to enable serial console under KVM.

Hypervisor (CentOS 7):
– no changes required if required pty -devices are created automatically (-chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 in guest command line)
–  if not found, you need the following bit in the devices section of virtual guests XML-file (modifying usually requires a full shutdown-start sequence for the virtual):

<serial type='pty'>
  <target port='0'/>
</serial>
<console type='pty'>
  <target type='serial' port='0'/>
</console>

Guest (Debian 7):
– modify /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="quiet"
#GRUB_TERMINAL=console

->

GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 quiet"
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial"

Uncomment the following line from /etc/inittab:

T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100

Run update-grub and reboot virtual machine – now you should be able to use virsh console at the hypervisor.

<edit-16.1.2015>
– Added XML-configuration for serial/console
– Dropped 9600bps speed configuration
</edit>

Oct 092014
 

Nowadays LVM has  a cache feature, where we can bolt an SSD as a cache-device to a logical volume.

Let’s imagine we have the following setup:

  •  4x 2TB SATA disks in RAID10 configuration, /dev/md0
  • 2x 120GB SSD disks in RAID1 configuration, /dev/md1

First we’ll create the logical volume which we’ll be working with:

# pvcreate /dev/md0
# vgcreate storage /dev/md0
# lvcreate -n volume -L 4TB storage /dev/md0

Next we’ll bolt the cache-device (which should be RAID1-mirrored in case of disk failure) to the volume, first we’ll extend the volume group to contain the SSD-device:

# vgextend storage /dev/md1

Then we’ll create a cache volume and a metadata volume (there’s 1GB free on purpose):

# lvcreate -n metadata -L 1GB storage /dev/md1
# lvcreate -n cache -L 118GB storage /dev/md1

Now we’ll convert these into a cache pool (this will fail if there isn’t at least the same amount free what’s used for metadata, 1GB, because it’s used for failure recovery):

# lvconvert --type cache-pool --poolmetadata storage/metadata storage/cache

Then all what’s left is attaching the cache to a logical volume:

# lvconvert --type cache --cachepool storage/cache storage/volume

It should say “storage/volume is now cached” and lvs output should look something like this:

# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
cache storage Cwi---C--- 118.00g
volume storage Cwi-a-C--- 4.0t cache [storage_corig]

Oh, and if you want the cache to survive a reboot, youll need a package which provides /usr/sbin/cache_check -binary. In Debian that’s “thin-provisioning-tools”, and in RHEL/CentOS/derivatives the package is device-mapper-persistent-data.
Tests were performed on Debian testing Jessie and CentOS 7.0.1406 Core in 10/2014. Official documentation can be found here.

Jan 202013
 

Debian Squeeze was released 06.02.2011.
Please note that Wheezy is still in testing -stage.  Debian Wheezy was released 04.05.2013

Just some quick steps how to do the upgrade (on your own risk).

Update Squeeze

aptitude update
aptidude upgrade
  1. Copy /etc/apt/sources.list to /etc/apt/sources.list.d/debian-wheezy.list and replace squeeze with wheezy. Or copy them inside sources.list. Use whatever mirror which is closest to you.
    deb http://ftp.fi.debian.org/debian/ wheezy main contrib non-free
    deb http://ftp.fi.debian.org/debian/ wheezy-updates main contrib non-free
    deb http://security.debian.org/ wheezy/updates main contrib non-free
  2. Update repository
    aptitude update
  3. Upgrade critical parts first – it will complain about libept1 – just let it be removed.
    aptitude install dpkg apt aptitude
  4. (Dist-)upgrade rest
    aptitude upgrade
    aptitude dist-upgrade
  5.  IF YOU ARE STILL RUNNING UNDER XEN3.x:
    Replace grub2 with grub1 (or just keep your old menu.lst at /boot/grub/)

    aptitude purge grub-pc
    aptitude install grub-legacy
  6. Always check that /boot/grub/menu.lst or /boot/grub/grub.cfg exists and defaults to right kernel
  7. Reboot and hope for the best

 

<complete instructions>
https://www.debian.org/releases/stable/i386/release-notes/ch-upgrading.html
</complete instructions>

Jan 202013
 

Debian 7.0(beta4) and i845G/GL didn’t work out-of-the box for me, X crashed without a log as soon as it tried to initialize.

After adding following to /usr/share/X11/xorg.conf.d/05-i845g.conf – everything seems to work:

<code>

Section “Device”
Option    “DRI”    “True”
Option    “Shadow”    “True”
Option    “XvMC”    “False”
Option    “XvPreferOverlay”    “False”
Identifier    “Card0”
Driver    “intel”
VendorName    “Intel Corporation”
BoardName    “82845G/GL [Brookdale-G]/GE Chipset Integrated Graphics Device (rev 01)
BusID    “PCI:0:2:0”
EndSection

</code>

It’s possible that this is fixed when Wheezy is officially released, at least a bug has been reported.

 

Dec 102011
 

Once upon a time, virtual was installed under full virtualization (KVM) -mode. Network wasn’t bridged, it was routed.

And then the problem: IPv6 -traffic flowed nicely inbound, but outbound was capped to about 128 kbps.

Troubleshooting: after googling around with ipv6, kvm and debian we came around to this, Debian bug report about GSO Ipv6 issues under KVM. It’s supposed to be fixed in 2.6.32-5-amd64 (2.6.32-39) -package…well, upgrading didn’t work for us, propably another (similar kind of) bug or something needs to be done at host-machine.

Workaround:  disabling virtio_net’s gso worked for us:

ifdown eth0; modprobe -r virtio_net; modprobe virtio_net gso=0; ifup eth0
Dec 092011
 

Debian Squeeze was released 06.02.2011 and Lenny’s support will (probably) be is discontinued since 06.02.2012.

 

Problem: apt-get update && apt-get dist-upgrade broke everything, server did not boot anymore.

Troubleshooting: squeeze has grub2, which our Xen 3.x and pygrub didn’t understand

Solution: upgrading with following steps, use apt-get or aptitude, whichever you like.

  1. Update Lenny
    aptitude update
    aptidude upgrade
  2. Replace lenny with squeeze in /etc/apt/sources.list – or add necessary entries to another file under /etc/apt/sources.list.d/
    deb http://ftp.fi.debian.org/debian/ squeeze main contrib non-free
    deb http://ftp.fi.debian.org/debian/ squeeze-updates main contrib non-free
    deb http://security.debian.org/ squeeze/updates main contrib non-free
  3. Update repository
    aptitude update
  4. Upgrade critical parts first
    aptitude install dpkg apt aptitude
  5. (Dist-)upgrade rest
    aptitude upgrade
    aptitude dist-upgrade
  6. Replace grub2 with grub1 (or just keep your old menu.lst at /boot/grub/)
    aptitude purge grub-pc
    aptitude install grub-legacy
  7. Check that /boot/grub/menu.lst exists and defaults to right kernel
  8. Reboot and hope for the best

 

Also remember to use 2.6.39 -kernel from backports for live migration to work.
Update 01/2013: 2.6.32 -kernel usually works just fine, Lenny’s EOL date is 6.2.2012.