UPDATE RELEASED: ColdFusion security updates for Log4j vulnerability

Adobe Employee ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

We are pleased to announce that we have released the updates for the following ColdFusion versions:

 

These updates address vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046.

 

After applying the update, all Log4j 2.x-related jars will be upgraded to version 2.16.0.

 

Update Jan 11 2022: To address the vulnerabilities later found in log4j 2.17, those who have applied the most recent update can now implement the log4j 2.17.1 updates, as provided along with instructions here:

https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html 

 

Update Dec 21: To address the vulnerabilities later found in log4j 2.16, those who have applied the most recent update can now implement the log4j 2.17 updates, as provided along with instructions here:

https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html 

 

If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.

 

Download these updates from:

 

The Docker images will be hosted shortly on Amazon ECR and Docker Hub.

 

Please update your ColdFusion versions and provide us your valuable feedback.

Views

1.2K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

I am on 2021.

I saw in my updates that I had Update 2 and Update 3 available.  I assumed I needed to install 2, then 3.  The installation of 2 went smoothly; however, I no longer see update 3 in the Available Versions list.  I clicked Check for Updates (several times).

Will version 3 show up at some point?

Thank you

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

Hi @bloodbanker 


CF updates are cumulative and you can skip update 2. You can install update 3 directly. 

 

Note: 1. Take the backup of entire CF before you apply the update. 

          2. You may encounter the QoQ error, after you apply the update 3. Here you can download the QoQ patch and copy this jar in \ColdFusion2021\cfusion\lib\updates folder and restart CF.

Patch link - Click here

 

 

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

Thank you @Priyank Shrivastava.

 

I have already installed Version 2 as stated above.  Now Version 3 is no longer listed, even after clicking Check for Updates.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Dec 24, 2021 Dec 24, 2021

Copy link to clipboard

Copied

Ravi with Adobe called me yesterday and walked me through a manual update.  We first removed Update 2, then he sent me a link for Update 3.  Seems it's not available for download anymore.

Anyhow, my site is patched.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 24, 2021 Dec 24, 2021

Copy link to clipboard

Copied

Bloodbanker, while it's great that your problem is now solved, you conclude that update 3 seems "not available for download anymore". Update is absolutely available for download. Let me offer some info to help you (or anyone else who may ever experience this).

 

It sure seems that whatever you're seeing (now and in your previous comments) must be an environment issue for you. (And to be clear, the update was available as soon as I saw your comment, right after you offered it here about an hour ago. It took me time to gather up the info below, but I offer it to help anyone else who may ever see what you do.)

 

1) First, can you clarify what you mean when you say it's unavaialble for download? Do you  mean via some URL you're using? or in the CF Admin? As for the latter, do you mean you've gone to the "Package Manager" button on the left, and its primary "Packages" page, and its "Available Versions" drop-down at the bottom of the "core server" info? You don't see it listing "ColdFusion 2021 Update 3"? And you do have internet access on the machine running CF?

 

2) If that's where you "don't see it available", can you go to the "Settings" tab (at the top of that "Package Manager"), and tell us what you have for the "site url" value of its "Update site" setting? By default it should be:

https://www.adobe.com/go/coldfusion-updates

 

Note that if you or anyone had perhaps changed that to another value, maybe in the past for some other reason, that may be why you feel it's "not available for download". And note that there is a "Restore Default URL" button next to the field, which would reset it to the above value.

 

3) And FWIW, that URL redirects to:

https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml


And that offers a link to the actual update 3 jar:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/updates/hotfix-003-329779.jar

 

If you may be able to go to a browser on the server (or do a commandline wget or curl), is THAT able to reach either of those URLs? 

 

4) And it's that last jar which the admin update UI executes when you apply an update, and until the technote for update 1, the process of manually implementing the JAR also offered a link to that jar, and told us to run the java -jar command against that.

 

Since update 2, the technotes (such as that for update 3) discusses how instead one can download a zip, which includes all 3 hotfix jars, and ALL the packages/modules which can be implemented by the update mechanism or cfpm--indeed all the different versions of those packages, so the zip is sizable and will get larger each release).

 

So anyway, with that background out of the way, can you confirm if you still somehow see that "update 3 is not available anymore"? And if you still feel that's so, can you elaborate on what you're seeing, compared to what I share above?


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

I am trying to follow the instruction on updating the API manager per the following link: 

 

https://helpx.adobe.com/coldfusion/kb/coldfusion-api-manager-updates.html

 

Unfortunately, the instructions are not very good. My specific concerns are:

 

Step 2- I can move the files and download the 2.16.0 files but then it lists the 2.3 files with a checksum which makes me wonder why those files are listed since they are not in the zip. 
 
Step 3 - Says "copy the jars from the links below…" but there are no links "below".
 
Step 5 - It makes no sense to "change" something to the same value it already is.

 

Overall, I suspect I just need a hotfix jar file that I can install in the API manager folder similar to what was done for the API Performance Monitoriing Toolset as described at https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-performance-monitoring-toolset-update-4.html 

 

Thanks

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

I hear your concerns but I don't think it's quite so confusing. Let me see if I can help:

  • The point in step 2 is that the "the following jars" are those that DO exist in the api manager lib folder. You are told to move those (don't just rename them). The zip in the offered download has files to REPLACE each of those.
  • The checksum is that of the zip. Adobe offers it for those who like to make sure that any download the are told to get does have a matching checksum. This one does.
  • When step 3 says, "copy the jars from the links below", that is indeed clearly a mistake. It should have said "above". I hope Adobe may fix that. But once you understand the above two points, the mistake seems more obvious
  • As for step 5, you are letting your eyes fool you. The values are NOT "the same":
    • -Dlog4j.configurationFile=file://{apim_home}/conf/log4j2.xml
    • -Dlog4j.configurationFile=file:///{apim_home}/conf/log4j2.xml

    • How do they differ? the second has 3 slashes. The implication seems to be that the original specification of this file path/protocol indicator was mistaken. As for the reference to 3 slashes in that log4j config property, I will point out that I see that the slashes are used with both Windows and Linux path references in this doc page from the Apache org on such file specifications. And that page is pointed to by association from a reference on the log4j docs on these manual config properties.

 

Hope that all makes sense now.  I'm just a fellow traveler trying to make sense of what we see in these resources. I have nothing to do with the docs or their creation.


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

Thanks Charlie! I actually had it all figured out except that single slash difference in step 5 kept throwing me off no matter how many times I looked at it which made me think I was not understanding the steps above.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 21, 2021 Dec 21, 2021

Copy link to clipboard

Copied

We updated to 13 on 2018 yesterday. Everything is working except for windows authentication- for applications that have been set up for windows authentication cgi.auth_user is not getting populated. Is there any explaination or fix for this?

This was working fine before update 13.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 22, 2021 Dec 22, 2021

Copy link to clipboard

Copied

Can you clarify what CF update you were on BEFORE u13? And are you confirming you also did not change the JVM version that CF uses, nor anything else?


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 22, 2021 Dec 22, 2021

Copy link to clipboard

Copied

Charlie,

We were on u4 due to slowness of MURA. Updated to 8 and then 13. JVM version was not changed. Changed worker.properties to include the secret.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 22, 2021 Dec 22, 2021

Copy link to clipboard

Copied

This is fixed. Tomcat authentication was mistakenly set to true, after it was changed to false, windows authentication started working.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 24, 2021 Dec 24, 2021

Copy link to clipboard

Copied

So to be clear, we'll assume you're confirming now that this Tomcaut auth setting change was done by someone there in your org, not something you feel was done by the update? (Recall you had said the app "was working fine before update 13.")

 

Maybe what you mean is that this Tomcat change had been done BEFORE the CF update, and its restart of CF, such that that Tomcat change (you or someone there made) just had not taken effect UNTIL that CF restart.


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 29, 2021 Dec 29, 2021

Copy link to clipboard

Copied

The change was done by us after u8 was installed and the secret changes didn't seem to work. We forgot to change it back when it started working.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jan 11, 2022 Jan 11, 2022

Copy link to clipboard

Copied

For folks following this post, note that as of Jan 11 (2022) Adobe has come out with a technote offering log4j 2.17.1 jars, addressing a vulnerability in the 2.16 jars that the log4j team had found (and for which Adobe had offered updated jars on Dec 21). 

 

To be clear, these 2.17.1 jars are meant to be added to a CF2021 or 2018 implementation where the update for those (released on Dec 17) had been applied.

 

Here's the technote with the info on updating to the 2.17.1 jars:

https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html 


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Apr 04, 2022 Apr 04, 2022

Copy link to clipboard

Copied

Has anything been done to address the Log4j issue with Add-on Services?  May the Log4j 2.17.1 updates be used for Add-on Services?  If so, what would hte process be to swap the files?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Apr 04, 2022 Apr 04, 2022

Copy link to clipboard

Copied

LATEST

Nothing yet that I've heard of. My presumption is that we're awaiting update 14 for cf2018 and update 4 for cf2021. I've not heard of any workaround, other than that if you're not using the CF add-on services feature, to just uninstall it. 


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines