Did anyone run into an issue with the CF Admin page after applying the fix?

I applied the fix and everything appears to be running ok, but when I try to launch the CF admin page I get this message. 

The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.

-1 : Unable to display error's location in a CFML template.

coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Monitoring service is not available.

	at coldfusion.server.ServiceFactory.getMonitoringService(ServiceFactory.java:227)

	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

	at java.base/java.lang.reflect.Method.invoke(Method.java:566)

	at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:101)

	at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3627)

	at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3604)

	at cfApplication2ecfm1524830424._factor3(/CFIDE/administrator/Application.cfm:114)

	at cfApplication2ecfm1524830424._factor11(/CFIDE/administrator/Application.cfm:4)

	at cfApplication2ecfm1524830424.runPage(/CFIDE/administrator/Application.cfm:1)

	at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262)

	at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:735)

	at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565)

	at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)

	at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33)

	at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:471)

	at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43)

	at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)

	at coldfusion.filter.PathFilter.invoke(PathFilter.java:162)

	at coldfusion.filter.IpFilter.invoke(IpFilter.java:45)

	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:96)

	at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:78)

	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)

	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)

	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60)

	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)

	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

	at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)

	at coldfusion.CfmServlet.service(CfmServlet.java:226)

	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:228)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46)

	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at coldfusion.filter.ClickjackingProtectionFilter.doFilter(ClickjackingProtectionFilter.java:75)

	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:373)

	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)

	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)

	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1723)

	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

	at java.base/java.lang.Thread.run(Thread.java:834)

For Folks reading this as of  Wednesday 12 pm ET Dec 15 2021, As per the Adobe link https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

Can you please be specific with instructions because it has definitely caused some confusion on the steps to perform. I will give example

1.  The link https://cfdownload.adobe.com/pub/adobe/coldfusion/logshell/2.9.0/log4j-core-2.9.0.jar earlier was downloading a file named log4j-core-2.9.0-logshell.jar (as of yesterday Dec 14 2021 ). I renamed it myself by removing -logshell from the file log4j-core-2.9.0.jar .Looks like Adobe has fixed that since then. I downloaded file today Dec 15 2021 and its named correctly log4j-core-2.9.0.jar . Can someone from Adobe post notes at top of the page https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html with last updated date time and also what typos/wrong file name have been fixed so people coming to your link know they are looking at latest information.
2.  Instruction for ColdFusion 2018. ColdFusion 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted. So you are saying both log4j 2.13.3 and/or 2.9.0 are impacted but the file provided to download is log4j-core-2.9.0.jar. Question : Should we remove/update both of these  log4j 2.13.3 and/or 2.9.0 from ColdFusion 2018 or just log4j-core-2.9.0.jar? I found log4j-core-2.9.0.jar in ColdFusion2018\CF_Instance\hf-updates\hf-2018-00011-326016\backup\lib and thats the only one we replaced even though its part of hf-updates backup folder. So what is the deal with log4j 2.13.3 ? Are we supposed to leave it like that? Please clarify ASAP.

Hi All,

Thanks for sharing all the info here.

On CF2021 I did the manual change to 2.15 and jvm.config java-args add yesterday. All ok it seems. Anyone done the manual change to 2.16?

Or should one wait till Friday...?

Point of clarification.  In stepping through the mitigation process for CF2018, step 5 starts with "...If you find log4j-core-2.9.0.jar...".  If I do NOT find log4j-core-2.9.0.jar, do I need to perform any of the steps after 5?

Hi all,

we contacted Adobe Product Security and Incident Response and received this reply:

Adobe is investigating potential impact and taking action, including updating affected systems to the latest versions of Apache log4j 2 recommended by the Apache Software Foundation.

The investigation is ongoing but, to date, Adobe has discovered no indication to suggest customer data has been impacted as a result of this issue.

ColdFusion plans to release a patch (version(s) 2021 & 2018) for this log4j vulnerability to customers on 12/17/2021. 

In the meantime, we recommend ColdFusion customers apply the following workarounds/mitigations steps until this patch has been released:

Workaround/Mitigation steps:

CF2021:

CF 2021 ships with log4j 2.13.3 and 1.2 versions. The former is impacted by this vulnerability while the latter is not. 

Steps:

1. Stop the server
2. Navigate to <cf_root>\<Instance_name>\bin directory
3. Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section and save
4. If using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9)  is found, remove the JndiLookup class from the classpath like below otherwise skip this step.

• If the operating systems is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number you found in the folder.
• If the operating systems is non-windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class". X is the version number you found in the folder.

5. Start the Instance

6. Repeat this for all the instances.

CF2018:

CF 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability while the latter (i.e., v1.2) is not impacted. 

Steps:

1. Stop the server
2. Navigate to <cf_root>\<Instance_name>\bin directory
3. Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section and save.
4. Navigate to <cf_root >>\<Instance_name>\lib directory. 
5. If you find log4j-core-2.9.0.jar, move the file to a temporary location
6. Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class removed from here
7. If using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath like below otherwise skip this step

• If the operating systems is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number you found in the folder.
• If the operating systems is non-windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class ". X is the version number you found in the folder.

8. Start the Instance

9. You can now delete log4j-core-2.9.0.jar from the temporary location

10. Repeat this for all the instances.

PMT 2021:

PMT 2021 ships with log4j 2.11.1 and log4j 2.3. Both versions are impacted. 

Steps:

1. Stop the PMT and datastore services
2. Navigate to <PMT_Home>\datastore\config directory
3. Open jvm.options file, add -Dlog4j2.formatMsgNoLookups=true argument in #log4j2 section and save.
4. Navigate to <PMT_Home>\lib directory. 
5. Move the file log4j-core-2.3.jar to a temporary location
6. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed from here
7. Start the datastore and PMT services
8. You can now delete log4j-core-2.3.jar from the temporary location

PMT 2018:

PMT 2018 ships with log4j 2.9.1 and log4j 2.3. Both versions are impacted. 

Steps:

1. Stop the PMT and datastore services
2. Navigate to <PMT_Home>\datastore\lib directory
3. Move the file log4j-core-2.9.1.jar to a temporary location
4. Copy the patched log4j-core-2.9.1.jar file with JNDILookUp class removed from here
5. Navigate to <PMT_Home>\lib directory 
6. Move the file log4j-core-2.3.jar to a temporary location
7. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed from here
8. Start the datastore and PMT services
9. You can now delete log4j-core-2.3.jar and log4j-core-2.9.1 from the temporary location

 APIM 2021 and APIM 2018:

APIM 2021 and 2018 ship with log4j 2.3. This version is impacted.

Steps:

1. Stop the APIM server (<APIM_Home>\bin) and Analytics (<APIM_Home>database\analytics\bin) service.
2. Navigate to <APIM_Home>\lib directory. 
3. Move the file log4j-core-2.3.jar to a temporary location
4. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed from here
5. Start the Analytics service and the APIM server.
6. You can now delete log4j-core-2.3.jar from the temporary location

Note – For more information, we recommend users to refer to the below post made by Pete Freitag on the log4j issue:

https://www.petefreitag.com/item/923.cfm

Has anybody been able to reproduce a POC of this issue on Coldfusion?

Version 2.16 of log4j has been released:

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.16.0/log4j-api-2.16.0.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.16.0/log4j-core-2.16.0.jar

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j/2.16.0/log4j-to-slf4j-2.16.0.jar

Changes: https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0

@Ripley Casdorph When it comes to "4. Update the log4j.properities files changing m% to %m{nolookups} in the same lib folder" please elaborate...

In my log4j.properities I see a number of ConversionPattern values like...

%d{MM/dd HH:mm:ss} [%t] %-5p %m%n
This should be updated to read...

%d{MM/dd HH:mm:ss} [%t] %-5p %m{nolookups}%n

Correct?

There is also a log4j-1.2.15.jar in the instance/lib directory that was not deleted once the log4j files went to 2.x in later releases.  I have contacted Adobe asking if upgrading to 2.15.0 we are safe and are not voiding our warranty on the software.  I was told that Adobe security is still analysing the impact and they will make official announcement.