UniFi – Log4j Vulnerability Notice

Update: 15 December 2021 – version 6.5.54 and earlier is vulnerable. Please update Unifi Controller again.

With the recent Log4j vulnerability, CVE-2021-442228, UniFi controller version 6.5.54 and earlier is vulnerable.

Jacobalberty has backported the fix to v6.0.45 and v5.14.23 for those whom are on the older hardware or controller versions.

For ours, we will be migrating to the latest v6 build by changing out Docker tag to “jacobalerty/unifi:v6” instead of “jacobalerty/unifi:stable-6” by following UniFi Controller – Docker Tag Change again with the tag changed.

References:

UniFi Controller – Docker Tag Change

While checking up on our UniFi controller image for updates, the tag “jacobalberty/unifi:stable” is no longer valid. There are 2 new tags instead, “jacobalerty/unifi:stable-5″ and ” jacobalerty/unifi:stable-6″. We will be upgrading to UniFi controller 6 with the tag “jacobalerty/unifi:stable-6.

WARNING: Upgrading the controller may invoke device provisioning, which may disrupt current service/s.

As a precaution, download a backup of the controller by going to Settings > Backup > Download Backup.

In our previous post UniFi Controller – Self Hosted Docker, our UNIFI_UID and UNIFI_GID were 1001, update the below ID numbers as required.

docker stop unifi
docker update --restart=no unifi
docker rename unifi unifi.old
docker run -d --restart=always --net=host --name=unifi -e RUNAS_UID0=false -e UNIFI_UID=1001 -e UNIFI_GID=1001 -v /var/docker_storage/unifi:/unifi jacobalberty/unifi:stable-6

After a minute of executing the last command, check the Unifi Controller web interface and everything works. Devices will start to re-provision.

If this is successful, run the below command for cleanup

docker rm unifi.old

If this fails, suggest starting over and restore the controller docker image with the backup that was downloaded at the beginning. Be sure to clean up the docker storage folder on the host prior.