Community Manager

Question

UPDATE RELEASED: ColdFusion security updates for Log4j vulnerability

Forum|Forum|4 years ago
December 17, 2021
6 replies
3823 views

We are pleased to announce that we have released the updates for the following ColdFusion versions:

These updates address vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046.

After applying the update, all Log4j 2.x-related jars will be upgraded to version 2.16.0.

Update Jan 11 2022: To address the vulnerabilities later found in log4j 2.17, those who have applied the most recent update can now implement the log4j 2.17.1 updates, as provided along with instructions here:

https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html

Update Dec 21: To address the vulnerabilities later found in log4j 2.16, those who have applied the most recent update can now implement the log4j 2.17 updates, as provided along with instructions here:

https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html

If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.

Download these updates from:

The Docker images will be hosted shortly on Amazon ECR and Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

This topic has been closed for replies.

Charlie Arehart

Community Expert

This is not at all "the latest update". This is from 27 months ago. There have been two more updates to each of cf2021 and cf2018 since then, the last being in October. If you apply that, or the one between them from May of 2022, you will get all the log4j updates at once.

This post was about the initial response(s) to the log4j vuln.

As for what it's "major points" are, we only have the info offered. If you might mean instead what are the DETAILS (what specific files were changed), we were not given that.

But again, see my first point: yiub should not be stopping at this update from Dec 2021. The updates are cumulative, so go to the May 2022 or Dec 2022 update. See the link above that offers a page for each release and all its updates.

/Charlie (troubleshooter, carehart. org)

altascene

Inspiring

Has anything been done to address the Log4j issue with Add-on Services? May the Log4j 2.17.1 updates be used for Add-on Services? If so, what would hte process be to swap the files?

Charlie Arehart

Community Expert

Nothing yet that I've heard of. My presumption is that we're awaiting update 14 for cf2018 and update 4 for cf2021. I've not heard of any workaround, other than that if you're not using the CF add-on services feature, to just uninstall it.

/Charlie (troubleshooter, carehart. org)

Charlie Arehart

Community Expert

For folks following this post, note that as of Jan 11 (2022) Adobe has come out with a technote offering log4j 2.17.1 jars, addressing a vulnerability in the 2.16 jars that the log4j team had found (and for which Adobe had offered updated jars on Dec 21).

To be clear, these 2.17.1 jars are meant to be added to a CF2021 or 2018 implementation where the update for those (released on Dec 17) had been applied.

Here's the technote with the info on updating to the 2.17.1 jars:

https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html

/Charlie (troubleshooter, carehart. org)

V

vasanthe83569187

Participant

We updated to 13 on 2018 yesterday. Everything is working except for windows authentication- for applications that have been set up for windows authentication cgi.auth_user is not getting populated. Is there any explaination or fix for this?

This was working fine before update 13.

Charlie Arehart

Community Expert

Can you clarify what CF update you were on BEFORE u13? And are you confirming you also did not change the JVM version that CF uses, nor anything else?

/Charlie (troubleshooter, carehart. org)

V

vasanthe83569187

Participant

Charlie,

We were on u4 due to slowness of MURA. Updated to 8 and then 13. JVM version was not changed. Changed worker.properties to include the secret.

vkristpm

Participant

I am trying to follow the instruction on updating the API manager per the following link:

https://helpx.adobe.com/coldfusion/kb/coldfusion-api-manager-updates.html

Unfortunately, the instructions are not very good. My specific concerns are:

Step 2- I can move the files and download the 2.16.0 files but then it lists the 2.3 files with a checksum which makes me wonder why those files are listed since they are not in the zip.

Step 3 - Says "copy the jars from the links below…" but there are no links "below".

Step 5 - It makes no sense to "change" something to the same value it already is.

Overall, I suspect I just need a hotfix jar file that I can install in the API manager folder similar to what was done for the API Performance Monitoriing Toolset as described at https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-performance-monitoring-toolset-update-4.html

Thanks

Charlie Arehart

Community Expert

I hear your concerns but I don't think it's quite so confusing. Let me see if I can help:

The point in step 2 is that the "the following jars" are those that DO exist in the api manager lib folder. You are told to move those (don't just rename them). The zip in the offered download has files to REPLACE each of those.
The checksum is that of the zip. Adobe offers it for those who like to make sure that any download the are told to get does have a matching checksum. This one does.
When step 3 says, "copy the jars from the links below", that is indeed clearly a mistake. It should have said "above". I hope Adobe may fix that. But once you understand the above two points, the mistake seems more obvious
As for step 5, you are letting your eyes fool you. The values are NOT "the same":
- -Dlog4j.configurationFile=file://{apim_home}/conf/log4j2.xml
- -Dlog4j.configurationFile=file:///{apim_home}/conf/log4j2.xml
- How do they differ? the second has 3 slashes. The implication seems to be that the original specification of this file path/protocol indicator was mistaken. As for the reference to 3 slashes in that log4j config property, I will point out that I see that the slashes are used with both Windows and Linux path references in this doc page from the Apache org on such file specifications. And that page is pointed to by association from a reference on the log4j docs on these manual config properties.

Hope that all makes sense now. I'm just a fellow traveler trying to make sense of what we see in these resources. I have nothing to do with the docs or their creation.

/Charlie (troubleshooter, carehart. org)

vkristpm

Participant

Thanks Charlie! I actually had it all figured out except that single slash difference in step 5 kept throwing me off no matter how many times I looked at it which made me think I was not understanding the steps above.

B

bloodbanker

Known Participant

I am on 2021.

I saw in my updates that I had Update 2 and Update 3 available. I assumed I needed to install 2, then 3. The installation of 2 went smoothly; however, I no longer see update 3 in the Available Versions list. I clicked Check for Updates (several times).

Will version 3 show up at some point?

Thank you

Priyank Shrivastava.

Community Manager

Hi @bloodbanker

CF updates are cumulative and you can skip update 2. You can install update 3 directly.

Note: 1. Take the backup of entire CF before you apply the update.

2. You may encounter the QoQ error, after you apply the update 3. Here you can download the QoQ patch and copy this jar in \ColdFusion2021\cfusion\lib\updates folder and restart CF.

Patch link - Click here

Thanks, Priyank Shrivastava

B

bloodbanker

Known Participant

Thank you @Priyank Shrivastava.

I have already installed Version 2 as stated above. Now Version 3 is no longer listed, even after clicking Check for Updates.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded