06-20-2017 12:42 PM - edited 07-06-2017 05:32 AM
There was a recent kernel update that caused issues with jsvc, which in turn prevented the UniFi or UniFi Video controllers from running. The issue was present on our two official distros, and likely others. Updated kernels have been released for Debian 7/8/9 and Ubuntu 16.04. We primarily list recent LTS releases, but other versions would've been affected too.
There are quite a few docs on that CVE, if you'd like to read them. Here are a couple:
Stack Clash CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
Stack Clash vulnerability description: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
There original thread on the issue, and it starts HERE. The issue is actually when trying to run jsvc, and there is at least a Debian bug report on it HERE. Debian made an announcement HERE to report that fixed kernels had been released.
The known affected kernel versions are:
Debian 7: 3.2.89-1 Debian 8: 3.16.43-2+deb8u1 Debian 9: 4.9.30-2+deb9u1 Ubuntu 16.04: 4.4.0-81
The known fixed kernel versions are:
Debian 7: 3.2.89-2 Debian 8: 3.16.43-2+deb8u2 Debian 9: 4.9.30-2+deb9u2 Ubuntu 16.04: 4.4.0-83
It'll be pretty obvious if the controllers don't start, then you're likely affected, at least if you haven't employed the fix below. If you're affected you can check the kernel version. There are several ways to do this, one easy one is by issuing the following via shell/Terminal:
The workaround for affected kernels
echo "JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"" | sudo tee -a /etc/default/unifi
echo "JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"" | sudo tee -a /etc/default/unifi-video
The UniFi Cloud Key and the UniFi Video NVR Appliance (formerly airVision NVR Appliance) are not affected. These devices run a custom kernel, so they would not be updated via the mainline upgrade.
How to revert once on a fixed kernel
Once you're on an updated kernel, that is known to be good, it is ideal to revert the above fix. The following command(s) can be run via shell, and it will delete that line from the default file. The alternative is to delete (rm) the file, but you'd want to make sure that you didn't have anything else in that file.
sudo sed -i "/JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"/d" /etc/default/unifi
sudo sed -i "/JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"/d" /etc/default/unifi-video
Many thanks to the users who starting posting about this, and bringing it to our attention. Much of the above info is from the thread (see HERE), and kudos should go to the users there (too many usernames to @ mention everyone, sorry).
The UniFi Team