Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Ubiquiti Employee
Posts: 6,695
Registered: ‎01-28-2013
Kudos: 6993
Solutions: 568
Contributions: 20

**IMPORTANT** Debian/Ubuntu users - MUST READ - Updated 07.06.17

[ Edited ]

Hi all,

 

There was a recent kernel update that caused issues with jsvc, which in turn prevented the UniFi or UniFi Video controllers from running. The issue was present on our two official distros, and likely others. Updated kernels have been released for Debian 7/8/9 and Ubuntu 16.04. We primarily list recent LTS releases, but other versions would've been affected too. 

 

There are quite a few docs on that CVE, if you'd like to read them. Here are a couple: 

Stack Clash CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364
Stack Clash vulnerability description: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

 

There original thread on the issue, and it starts HERE. The issue is actually when trying to run jsvc, and there is at least a Debian bug report on it HERE. Debian made an announcement HERE to report that fixed kernels had been released.

 

The known affected kernel versions are:

Debian 7: 3.2.89-1
Debian 8: 3.16.43-2+deb8u1
Debian 9: 4.9.30-2+deb9u1
Ubuntu 16.04: 4.4.0-81

The known fixed kernel versions are:

Debian 7: 3.2.89-2
Debian 8: 3.16.43-2+deb8u2
Debian 9: 4.9.30-2+deb9u2
Ubuntu 16.04: 4.4.0-83

It'll be pretty obvious if the controllers don't start, then you're likely affected, at least if you haven't employed the fix below. If you're affected you can check the kernel version. There are several ways to do this, one easy one is by issuing the following via shell/Terminal:

uname -a


The workaround for affected kernels

UniFi:

echo "JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"" | sudo tee -a /etc/default/unifi

UniFi Video:

echo "JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"" | sudo tee -a /etc/default/unifi-video

The UniFi Cloud Key and the UniFi Video NVR Appliance (formerly airVision NVR Appliance) are not affected. These devices run a custom kernel, so they would not be updated via the mainline upgrade.

 

How to revert once on a fixed kernel

Once you're on an updated kernel, that is known to be good, it is ideal to revert the above fix. The following command(s) can be run via shell, and it will delete that line from the default file. The alternative is to delete (rm) the file, but you'd want to make sure that you didn't have anything else in that file.

UniFi:

sudo sed -i "/JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"/d" /etc/default/unifi

UniFi Video:

sudo sed -i "/JSVC_EXTRA_OPTS=\"\$JSVC_EXTRA_OPTS -Xss1280k\"/d" /etc/default/unifi-video

Many thanks to the users who starting posting about this, and bringing it to our attention. Much of the above info is from the thread (see HERE), and kudos should go to the users there (too many usernames to @ mention everyone, sorry).

 

Cheers,

The UniFi Team

UBNT_Alternate_Logo.png
Reply