Skip to main content
M
Matthew22377144yk0g
Known Participant
December 23, 2021
Answered

Security scans flagging older versions of log4j

  • December 23, 2021
  • 3 replies
  • 3682 views

Our IT department runs security scans using tenable and they are flagging older versions of log4j on our coldfusion servers.  We are running CF2018 patch 13, and have removed all our old hotfix history - the only older versions of log4j on our server now are log4j-1.2.15 in Coldfusion2018\cfusion\lib and log4j-1.2.17 in Coldfusion2018\cfusion\jetty\lib\ext.  Can we confirm whether or not these versions of log4j are vulnerable, and, if so, if there's any mitigation strategies that we can use to make sure these two log4j versions are secure?  Is there any plan to replace these with log4j 2.17?

      This topic has been closed for replies.
      Correct answer Charlie Arehart

      BKBK, while it's true that the broad concensus in the early days of the news about log4jshell (starting Dec 9)  was indeed that "it affected only log4j 2.0-2.15, then 2.16, and finally fixed as of 2.17 as of now), subsequent CVEs identified a rather edge case scenario in even log4j 1.x files.

       

      As such, folks are indeed finding that scanners (which look by file name) are tripping over the fact that CF2018 has this log4j-1.2.15.jar file in its cfusion/lib folder (or if running multiple instances, the [instancename]/lib folder).

       

      About that, Matthew, note first that Adobe DID updat that jar, with update 13. If you were to compare the jars before and after (jars are just zips) you would see that they removed the vulnerable jmsappender.class and some others, as has bene recommended by the log4j project and community abotu the log4j 1.x vulnerability.

       

      The problem is that too many scanners are looking ONLY at the NAME of the jar, not what is IN the jar. That's borderline criminal, really, because any bad guy (or software) could name the jars anything they want. A better scanner WOULD go that extra step and look IN any jar files to see IF they have known vulnerable class file names (that's still a "filename check", but at least it's not just a surface one).

       

      Anyway, folks like Matthew are in a pickle because "they have what they have" and need to "do what they tools says to do". But to be clear, Matthew, no, that jar is NOT something you can replace. In fact, the update 13 DID implenent a log4j 2.16 jar, and then the technote from Adobe earlier this week now allows you to copy in log4j 2.17 jars (over the 3 log4j 2.16 jars)--and the technote even offers a zip with the files.

       

      But after doing that, one STILL will have the log4j-1.2.15.jar. And you can't "just delete that" jar. If you do, CF will start but CF pages (and the CF admin) won't run. They rely on something in that jar (even though it CAN'T be any of the vulnerable bits as Adobe has removed those as of update 13). As I shared  just now in the much larger forum thread here on log4j, one COULD rename that file. Java (and therefore CF) really don't care about the name of the file. But I realize that's not a satisfying solution.

       

      But Matthew, I have offered for now what I understand to be the situation about that log4j-1.2.15.jar.

       

      Now, about the log4j-1.2.17.jar, which is in that jetty lib that Matthew mentions (in both CF2018 and 2021 even after the updates of Dec 17), that is dismaying to notice. I see now that it was raised back on Dec 13 by FishDev, but it was NOT addressed in the update on Dec 17, nor have I seen it discussed in the technotes they've released before or since. (Well, one of them talks about removing vulnerable libraries from "3rd party applications", but technically the jetty embedded within CF is not a "3rd party" app.)

       

      Anyway, I just want ahead and raised the question/concern, directing it to Adobe, as a new reply in that longer thread. Matthew, you may want to follow that aspect of the discussion there.

       

      Until then, again you COULD do that removal of the vulnerable classes  (by extracting the jar as a zip, removing the classes, and re-compressing the jar, as discussed in the technote). But really, Adobe should be fixing this for us, perhaps as a new technote with a new jar offered with those removed for us. That's what I've requested in that other thread.

      3 replies

      altascene
      altascene
      Inspiring
      January 4, 2022

      Matthew,

      I don't know what you are finding, but I have found that Tenable is detecting all update backup files, regardless of their location.  I don't know whether this causes issues with the CF installation.

      Scott

      altascene
      altascene
      Inspiring
      January 4, 2022

      After I read my comment above, I felt the need to clarify.  I meant that, regarding Log4j, for Tenable to give a CF server a clean bill of health, you must remove all of the backup files from that server.  I confirmed that, but I do not know if there is a negative impact by removing all of the backup files.

      BKBK
      Community Expert
      BKBKCommunity Expert
      Community Expert
      January 5, 2022
       

      ... I do not know if there is a negative impact by removing all of the backup files.


      By @altascene

       

      The backups are basically there to enable you to re-install or to revert to a previous installation if and when necessary. If you remove update X's backup, the impact will be that you will no longer be able to re-install or to revert to update X.

       

      There are 3 data per update, comprising the update directory, the jar, and the properties file.

       

      For example, for CF2018 Update 12, they are:

       

      \hf-updates\hf-2018-00012-328566\,

      \hf-updates\hotfix-012-328566.jar,

      \hf-updates\hf-2018-00012-328566.properties.

       

      If you delete these, you will no longer be able to re-install or to revert to update 12.

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity ExpertCorrect answer
      Community Expert
      December 24, 2021

      BKBK, while it's true that the broad concensus in the early days of the news about log4jshell (starting Dec 9)  was indeed that "it affected only log4j 2.0-2.15, then 2.16, and finally fixed as of 2.17 as of now), subsequent CVEs identified a rather edge case scenario in even log4j 1.x files.

       

      As such, folks are indeed finding that scanners (which look by file name) are tripping over the fact that CF2018 has this log4j-1.2.15.jar file in its cfusion/lib folder (or if running multiple instances, the [instancename]/lib folder).

       

      About that, Matthew, note first that Adobe DID updat that jar, with update 13. If you were to compare the jars before and after (jars are just zips) you would see that they removed the vulnerable jmsappender.class and some others, as has bene recommended by the log4j project and community abotu the log4j 1.x vulnerability.

       

      The problem is that too many scanners are looking ONLY at the NAME of the jar, not what is IN the jar. That's borderline criminal, really, because any bad guy (or software) could name the jars anything they want. A better scanner WOULD go that extra step and look IN any jar files to see IF they have known vulnerable class file names (that's still a "filename check", but at least it's not just a surface one).

       

      Anyway, folks like Matthew are in a pickle because "they have what they have" and need to "do what they tools says to do". But to be clear, Matthew, no, that jar is NOT something you can replace. In fact, the update 13 DID implenent a log4j 2.16 jar, and then the technote from Adobe earlier this week now allows you to copy in log4j 2.17 jars (over the 3 log4j 2.16 jars)--and the technote even offers a zip with the files.

       

      But after doing that, one STILL will have the log4j-1.2.15.jar. And you can't "just delete that" jar. If you do, CF will start but CF pages (and the CF admin) won't run. They rely on something in that jar (even though it CAN'T be any of the vulnerable bits as Adobe has removed those as of update 13). As I shared  just now in the much larger forum thread here on log4j, one COULD rename that file. Java (and therefore CF) really don't care about the name of the file. But I realize that's not a satisfying solution.

       

      But Matthew, I have offered for now what I understand to be the situation about that log4j-1.2.15.jar.

       

      Now, about the log4j-1.2.17.jar, which is in that jetty lib that Matthew mentions (in both CF2018 and 2021 even after the updates of Dec 17), that is dismaying to notice. I see now that it was raised back on Dec 13 by FishDev, but it was NOT addressed in the update on Dec 17, nor have I seen it discussed in the technotes they've released before or since. (Well, one of them talks about removing vulnerable libraries from "3rd party applications", but technically the jetty embedded within CF is not a "3rd party" app.)

       

      Anyway, I just want ahead and raised the question/concern, directing it to Adobe, as a new reply in that longer thread. Matthew, you may want to follow that aspect of the discussion there.

       

      Until then, again you COULD do that removal of the vulnerable classes  (by extracting the jar as a zip, removing the classes, and re-compressing the jar, as discussed in the technote). But really, Adobe should be fixing this for us, perhaps as a new technote with a new jar offered with those removed for us. That's what I've requested in that other thread.

      /Charlie (troubleshooter, carehart. org)
        altascene
        altascene
        Inspiring
        January 4, 2022

        Charlie,

         

        I have a similar situation, in that we are also using Tenable for vulnerabiltiy scanning.  Our scenario is that scans are detecting that log4j-core-2.9.0.jar is present in a backup location;

         

        Path : C:\ColdFusion2018\cfusion\hf-updates\hf-2018-00011-326016\backup\lib\log4j-core-2.9.0.jar

         

        Tenable basically says "...if it's present, it's a vulnerability...".  My options are to accept the risk within their system, or delete the file.  If I never plan on "rolling back" to update 11, may I safely delete the old log4j file?

         

        Thanks,
        Scott

        BKBK
        Community Expert
        BKBKCommunity Expert
        Community Expert
        January 5, 2022

        BKBK,

        Thanks.  On a dev box, I removed all the hf-2018-xxxxx-xxxxxx folders from the \hf-updates folder.  I left the .jar files and .properties file in-place.  I then re-ran the vulnerability scan, and it "passed".  When I say "removed", I first tried moving the folders to a different location on the server.  The scanner still found them, so I removed them completely.

        I did not perform uninstalls first, nor did I stop the CF App Server before I moved the files off of the server.  The sites being served from the dev box are working, and I am not seeing any odd error messages from CF.

        Yes, please, CF Team, feel free to chime in on whether or not the above steps I performed is advisable.


        On a dev box, I removed all the hf-2018-xxxxx-xxxxxx folders from the \hf-updates folder.


        By @altascene

        No better place to test.

         

         

        I left the .jar files and .properties file in-place. 

        No need, in my opinion. After all, you've gutted the vital organs.

        BKBK
        Community Expert
        BKBKCommunity Expert
        Community Expert
        December 23, 2021

        From what I have read from the documentation so far,  log4j-1.2.x is not vulnerable.

          Terms & ConditionsAccessibility statement
          Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices