QNAP just dropped security advisory…
Log4j v2.16 has been released btw
You don’t have to have Java services facing the internet, you just have to handle untrusted data at some point (e.g. third-party APIs, especially ones which provide user-generated content of some sort). All it takes to compromise (unpatched) local Minecraft servers and connected clients is one person being “clever” in the chat, it would be easy for some internal data source to lead to exploit.
Though I’d imagine most people aren’t hosting much which would be cause for concern (beyond possibly a router’s built-in webserver or a smart TV trying to scoop up network traffic for advertisers).
Assuming your Unifi controller is not run on the hardware itself (i.e. you don’t own a UDM or other hardware with the controller built-in), you don’t need to run the controller 24/7.
The controller just collects logs and pushes configurations. Unless your device somehow loses its configuration during a power outage or you want to adopt a new AP, the only time you need the controller running is when you want to change the configuration or if you just like looking at the dashboard. (Given its tendency to randomly lock up and peg the CPU at 100% occasionally, I tend to only run it when necessary.)
1 Like
Some of SolarWinds products are also affected. Boy, those guys can’t catch a fucking break. 
5 Likes
Like clockwork:
2 Likes