Copy link to clipboard
Copied
Does anyone know if the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) that was announced on 12/9/2021 will affect ColdFusion version 10 and 2018?
Hi Everyone,
We had originally published (on Dec 14) some workaround/mitigation steps in this article until the patch would be released. Since then, there have been updates and still further updates.
Dec 14: Technote with initial mitigations offered:
https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html
Update Dec 17: Updates for CF2021 and 2018 were released, addressing this log4j vulnerability. The technote mentioned above was a preliminary response, offered on Dec 14.
...Copy link to clipboard
Copied
Or should one wait till Friday...?
By @aarnir71156744
No. The description, zero-day, signals to you how much time you have to fix the problem: 0 days.
Copy link to clipboard
Copied
For Folks reading this as of Wednesday 12 pm ET Dec 15 2021, As per the Adobe link https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html
Can you please be specific with instructions because it has definitely caused some confusion on the steps to perform. I will give example
Copy link to clipboard
Copied
The 2.16 version will work also
Copy link to clipboard
Copied
Did anyone run into an issue with the CF Admin page after applying the fix?
I applied the fix and everything appears to be running ok, but when I try to launch the CF admin page I get this message.
The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.
The following information is meant for the website developer for debugging purposes. | ||||||||||||||||||
Error Occurred While Processing Request | ||||||||||||||||||
|
Copy link to clipboard
Copied
When I added the wrong jar I was getting a 500 error, but it was for the admin and the site. Did you have the correct jars? Many are named very similarly.
Copy link to clipboard
Copied
Hello,
We applied the mitigation until the patch is released. In doing so, it broke our SSO integration.
what we did:
-Dlog4j2.formatMsgNoLookups=true to Jvm.config
the error we get when the saml request is initialized
"The system has attempted to use a undefined value, which usually indicates a programming error...."
removing the mitigation makes it work -
Copy link to clipboard
Copied
Just a follow up question on this. When the sso broke it wasn't around the time that the AWS outage was occuring. Because ours broke with strange error messages around then and the underlying cause was our MFA provider went down with the outage
Copy link to clipboard
Copied
Hello,
We applied the mitigation until the patch is released. In doing so, it broke our SSO integration.
what we did:
-Dlog4j2.formatMsgNoLookups=true to Jvm.config
the error we get when the saml request is initialized
"The system has attempted to use a undefined value, which usually indicates a programming error...."
removing the mitigation makes it work -
By @Pete220652393l9r
Either
(1) you made an error when changing the JVM settings;
or
(2) that was just coincidendence, and the error is referring to something else.
In any case, you may ignore the JVM flag, and solve the problem by replacing the Log4J jars. The latter method has been discussed exhaustively in this thread.
Copy link to clipboard
Copied
Can someone at Adobe please reach out and tell us what the 2.x versions of log4j are used for? I have contacted every support group I can and am getting nothing we are week out and I feel like adobe has just abandoned this thread since they put out the remediation steps.
Most of the jar files I can find in the ColdFusion application files are referencing log4j 1.x. Some information about how ColdFusion might be affected would be seriously benefecial to admins. I even think the verbiage changed on the https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html page and no longer includes the "Adobe has discovered no indication to suggest custom data has been impacted as a result of this issue".
Which if it has, is very concerning, and we need to get clear information as to the extent that we were vulnerable.
Copy link to clipboard
Copied
Yes this.
We need to know if there was a window of reasonable vulnerability at any point.
This is essential also from a compliancy angle!
It's been a week and I still can't tell anyone more then that we've remediated the issue in our expensively licensed webserver.
There's no patch. And there's no info to the extend coldfusion was vulnerable to begin with.
Guys over at LUCEE had this cleared up the day it was discovered, just saying.
@neochad I don't think the sentence about adobe not having found a exploitable problem was ever actually on that support page. It's a service desk reply someone got that should be somewhere in the comments here.
Not that that's in any way relevant to the point at hand, but just saying.
Copy link to clipboard
Copied
You could very well be right, I may have transposed that in the flurry of responses that have been floating around.
Copy link to clipboard
Copied
FYI in regards to version 2.15, I just received this notice from our datacenter provider:
"... an additional vulnerability has been identified in the previously released fix for CVE-2021-44228. This new vulnerability impacts Apache Log4j 2.15.0 and has been identified as CVE-2021-45046. If exploited, this vulnerability could result in a denial of service (DOS) attack. This vulnerability has been addressed in Log4j version 2.16.0."
Copy link to clipboard
Copied
FYI in regards to version 2.15, I just received this notice from our datacenter provider:
"... an additional vulnerability has been identified in the previously released fix for CVE-2021-44228. This new vulnerability impacts Apache Log4j 2.15.0 and has been identified as CVE-2021-45046. If exploited, this vulnerability could result in a denial of service (DOS) attack. This vulnerability has been addressed in Log4j version 2.16.0."
By @paule12345
Which doesn't surprise me. I think it's best to implement solutions as soon as they come along. So, you should move from 2.15 to 2.16 right away. After all, you have 0 days to act. 🙂
Copy link to clipboard
Copied
From my infosec team the new CVE on 2.15.0 is not as bad as the one it fixed and is not a 0 day.
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Its severity base score is 3.7.where https://nvd.nist.gov/vuln/detail/CVE-2021-44228 was scored as a 10 on 10.
Disclaimer, everyone is different and all depends on your configuration, setup, and usage of coldfusion.
Copy link to clipboard
Copied
Hi All,
We have released securiy update, please update your servers even if you have followed the mitigation steps. You need to reapply any private patch that you received from us ex. QoQ as this is purely the security update.
https://helpx.adobe.com/coldfusion/kb/coldfusion-api-manager-updates.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-3.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-performance-monitoring-toolset-update-3.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-13.html
Please let us know in case of any query.
Copy link to clipboard
Copied
I don't see real information about what it is changing or how to confirm. The links on the 2018 page all seem to point to old FAQs and previous updates. Am I missing something? Blind faith that it is all good?
Copy link to clipboard
Copied
@Ripley Casdorph Usually we have the Security Bulletin available for the update. This time we have released an update and mentioned everything in our article.
This is an official Adobe ColdFusion update and you can trust us. We have checked everything to secure the server.
Copy link to clipboard
Copied
Hi Priyank
Thanks for releasing the patch. I can see that it added log4j 2.16 libraries in cfusion/lib but it left my patched log4j 2.15 libraries there too so I will remove those so only the latest version remain.
Are there any plans to upgrade the log4j 1.2 libraries to log4j 2.x? A scan has identified these in cf-logging.jar. Our organizational IT security guidance is that we must migrate all log4j 1.2 to log4j 2.x or will need to shut down services because of previously logged CVE vulnerabilities in log4j 1.2 and because log 4j 1.2 is no longer actively maintained.
Thanks for your help
Copy link to clipboard
Copied
I was expecting this question and thanks that you asked. For Log4j1.2 libraries, we have received the tickets and we have made changes to the version which is with update and I can assure that it is not vulnerable. The scanner will flag it because of the version however, we have mitigated the security issue from this library.
We will be upgrading the library in future update. At this moment, that is maximum information, I can share with you.
Copy link to clipboard
Copied
Thanks Priyank, I appreciate the quick reply.
I could see the SocketServer.class was removed from cf-logging.jar which should mitigate the risk. I have some test scripts I can use to illustrate this to our security team.
I'll pass your response back to our security team. Hopefully coming from Adobe they will agree this is an acceptable action until a more complete migration from log4j 1.2 can be completed.
Copy link to clipboard
Copied
Correct me if I am wrong, but I thought log4j 1.x was vulnerable when using the JMSAppender, I didn't see that class pre or post Update 13, but I did see those SocketServer.class removed in the Update 13 version.
Was SocketServer.class another potential for Log4Shell or was that just being cautious?
Copy link to clipboard
Copied
@neochad Unfortunetly, I cannot share much details here. You can check the CVE listed in our article and find the details there.
Copy link to clipboard
Copied
A picture of the log4j vulnerability:
Copy link to clipboard
Copied
The patch notes indicate that this is a cumulative patch: "The updates below are cumulative and contain all updates from previous ones." Is there a discrete patch available to address just the specific vulnerability? If someone has an issue with a particular update it seems there is no opportunity to avoid the prior update when applying update 13.
Copy link to clipboard
Copied
Currently, we don't have that mechanism and you have to apply the other updates and that cannot be skipped. However, we are discussing to make it separate so users can apply the security update without installing the bug fixes.