zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

I have also noticed that there is a 1.2.17 log4j instance in the jetty folder (ColdFusion20XX\cfusion\jetty\lib\ext). Has anyone done anything to mitigate this?

We downloaded the new 2.15 jar from Apache and we can put it in place and remove the 2.13 version, but where do we tell Cf to get the new file?

We are now getting an error...

Subscribing to this thread...

I find it fairly surprising Adobe hasn't yet come forward with any info at all on how/if this affects CF 2018 and 2021 installs.

Or even just short term info like if it's a good idea to deploy "patches" like the "-Dlog4j2.formatMsgNoLookups=true" argument or possibly even just straight up swap out the component with the Apache supplied version yourself.

We went ahead and patched "manually" our CF servers with log4j 2.15.0 on Friday morning by just replacing the 2.13.3 libraries in the cfusion lib directory.
Just to clarify the extent of the vulnerability, it is in all log4j version since 2.0. So, an easy way to verify if you are affected is to check if you have log4j-core 2.x jar file in your classpath.
We have seen through our monitoring some attempts to exploit this bug and our counter measures were effective, but I am glad we patched it anyway.

I am shocked there is not already a patch available from Adobe. This is really something they should have released already...

Hello Experts,

can anybody tell, if ColdFusion uses log4j to write the regular CF-Logs (application.log, exception.log etc.)?

If it is the case, so there would be a simple attack possible: calling http://my.server.com/my_%24{java%3Aversion}_test.cfm would return 404, but log the path into exception.log

(at the moment it seems not to happen, but just to be sure...)

Peter

I don't see anyone yet pointing to Pete Freitag's blog post on the topic, where he is gathering info on this topic, and updating it as he learns things:

https://www.petefreitag.com/item/923.cfm

I highly recommend it, along with this discussion thread you're now reading. Between the two, we should see clarity on all this as the smoke clears.

As many know, Pete is regarded by most as THE security maven in the CF space. While he doesn't work FOR Adobe, he does work WITH them, having written the CF Lockdown Guides for the past several CF releases. 

Pete also offers an excellent service that I also highly recommend, called HackmyCF (https://hackmycf.com), whose name may scare you but whose features should delight you, as it (a paid service) keeps you apprised regularly of the state of your own CF instance and need of security-related configuration improvements.

Beyond that regular checking, Pete had also informed those with the service about this vuln the day it happened, within hours of it first being mentioned (and after he had had some time to gather his initial thoughts on this fast-moving target). For many, that alone is reason enough to buy the service.

In fact, the first comment I made here above, where I quoted Mark Takata, was indeed from the info that Pete had shared in one of his first messages to members. Since he was quoting Mark, I assumed that was something he'd found posted elsewhere. I was torn about posting that without more specific clarification on where I got it, but I had only minutes before a series of consulting sessions that day so offered it as the first response here, trusting that more would be shared in time (as it was).

I did mean to come back and add the clarification that I'd gotten it from Pete's service, and I did want to elaborate a bit on it as I have now. Again, since no one had mentioned it or his blog post (which came later that day), I wanted to get this here for the sake of the community and in thanks and with much appreciation for all Pete does.

Here's a really helpful resource from Cloudflare on what they have found regarding this vuln. They actually posted a few entries yesterday. This one talks more about the details of how it might lead to trouble, and how one could try to detect the problem (and how bad guys are doing that).

They also share how they are now blocking it for folks, via their WAF, which they also say they are enabling for free account holders. I'll leave you read more about it, and the other resources they have and that they point to (from others).

It's a good place to start, for folks wondering about more than just "there's a zero day!" And as I shared in another comment here, we have Adobe and Pete and others (including myself, I hope) who are doing more digging into the specifics for CF.

https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

Thanks all for the valuable information, much appreciated and I will continue to monitor here for any further updates. 

Here's news shared initially from Mark Takata at Adobe:

"As reported this morning, Log4J is vulnerable to a zero-day RCE exploit. Details here:

https://www.lunasec.io/docs/blog/log4j-zero-day/

This is being classified as a severe vulnerability, as it can be exploited to allow unauthenticated remote code execution.

Details of the CVE here: https://www.randori.com/blog/cve-2021-44228/

The Adobe ColdFusion engineering & support teams are currently working with the security team to examine how this exploit affects a vanilla CF2021 and CF2018 install. Initial reports seem to indicate that installs of this nature do not utilize Log4J in a way as to be exploitable, but research is just beginning so please exercise a maximum of caution, especially if your installation utilizes Log4J in a way other than the default install.

An initial method of reducing/eliminating your vulnerability is to alter your jvm.config by adding the following line:

-Dlog4j2.formatMsgNoLookups=true

Once the config file is altered, you will need to do a restart of the environment to ensure it is taken up. I will share any further news about this situation as it comes in."

Update: I got this quote from Pete Freitag, by way of an email sent to those of us using his excellent HackMyCF service, which I discuss more in a later comment here. Note also that Pete had later that day done a blog post with more info on this vuln, and options to consider for addressing it (while we await any official/final word from Adobe).