zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

I'm still using CF10, which based on this thread seems like it's probably not affected by this exploit. But, if I do add the "-Dlog4j2.formatMsgNoLookups=true" to my java args, will it be a problem?

By @Whatfore

I think it won't be a problem. However, I would suggest that you don't add it. 

 It is bad practice to initialize variables that are never used anywhere in your application. The same applies here. After all, -Dlog4j2.formatMsgNoLookups=true is just Java initialization code.

looks like Update 3 removed hotfixes that might have been applied such as hf202100-4212383.jar. Re-installing fixed.

It appears something else changed besides log4j in the hotfix v3 for 2021

QoQ started returning: java.lang.UnsupportedOperationException: getColumnType() at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:783) at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:773)

 

Query is basic:

<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(last_count) AS last_count,
SUM(proj_amount) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>

 

Adding cast() didn't help either

<cfquery name="retVal.currSum" dbtype="query">
   SELECT rs_name,
   SUM(CAST(last_count AS INTEGER)) AS last_count,
   SUM(CAST(proj_amount AS DOUBLE)) AS PROJ_AMOUNT
   FROM retVal.Curr
   GROUP BY rs_name
</cfquery>

 

By @rgjason2

If so, please create a bug ticket.

my developer faced a siialr issue - probably the group by doing it 

The solution is to to add the jar that was offered for update 2 (and 12, for cf2021).

See:

https://tracker.adobe.com/#/view/CF-4212383

As the Adobe info (in some pages) on the update says, they did not incorporate ANY current fixes to ANY bugs in update 2 (or 12). They ONLY updated the log4j libraries. 

Hmm,

A quick manual try on a local vbox to 2.17 gives a bunch errors after cf restart.

Going back to 2.16 after that, same. Err...

 

 

A quick manual try on a local vbox to 2.17 gives a bunch errors after cf restart.

 

By @aarnir71156744

Could you please share the error messages you got.

Sorry, my mistake.I accidently removed log4j.jar too. Now changed to 2.17 and running ok. CF2021 in a Vbox Ubuntu 20.04 LTS test machine with:

log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-to-slf4j-2.17.0.jar

No errors or warnings.

Did not do this on the production machine yet though.

@Priyank Shrivastava.  What is happening with extra DoS vulnerability in log4j 2.16? THis has now been updated to 2.17.

 

By @w49369461

Yes, indeed. Even the new log4j 2.16 has been found to be vulnerable. It could enable an attacker to generate infinite recursive lookups, leading to a denial of service.

https://logging.apache.org/log4j/2.x/

Let's wait for Adobe's solution. In the meantime, I think the JVM flag, 

-Dlog4j2.formatMsgNoLookups=true

 remains an effective preventive measure even against this new vulnerability. Unless, of course, your application requires lookups. 

Hi All,

We are looking into this and I will update the thread with more details. 

Hi Priyank.

After we apply CF 2018 hotfix 13, we still see log4j-1.2.15.jar in the <cfinstance>/lib directory.  When we try to remove it, we get 500 errors.  Will this file be patched or removed?  I am being told this is still a vulnerabilty.

Thank you,
Jeff

Hi Jeff,

In one of the comments, I clarified that log4j-1.2.15.jar is not vulnerable anymore. We have patched it and it is safe to use. 

I understand that it will flag by your scanner, however, with update 3 it is secure. 

Also, CF is not impacted by the recent CVE that was fixed in 2.17, however, you can still update the CORE jar to 2.17. 

[deleted]

 

Also, CF is not impacted by the recent CVE that was fixed in 2.17, ...

By @Priyank Shrivastava.

Hi Priyank,

I beg to disagree. If Log4j v2.16 is susceptible to a denial-of-service vulnerability and ColdFusion is equipped with Log4j v2.16, then ColdFusion will likewise be susceptible. 

Hi @BKBK 

I was also not convinced however, we did analyze it and I am sharing the details based on the team's comment. 

Also, we are asking users to upgrade the CORE library to 2.17. We will share more details in our article. 

I have updated manually to 2.17 both Core and API and there appears to be no issues.

Same with production machine now and seems to run just fine. CF2021 Standard, Ubuntu 20.04 Server LTS with:

log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-to-slf4j-2.17.0.jar

Hi All,

We have released an article with updated jar 2.17 which you can replace in your server. Here I am sharing the article, please follow it and let me know in case of any issue.

https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html

It is wonderful that you guys are following and updating these vulnerabilities as they come up.  Kudos for that!  Thank you.  However, it seems the only place these are being socialized is within the comments of this blog post.  These should also be posted to Adobe's Product Security Incident Response Team page I would think.  I see no mention of any of this there.  https://helpx.adobe.com/security.html#coldfusion

I do see that the larger updates (2021 update 3 and 2018 update 13) are posted to the usual ColdFusion updates page. So that's good.  But now you have another "patch" to be applied after the latest updates and I see no mention of that anywhere but here in the comments.

Please update the Adobe site as well with this information for people to find when they look for ColdFusion updates in the future.  The update process with ColdFusion is unnecessarily difficult because we have to look in so many different places to find out what to do.

It would also be nice if these security updates would be able to be released without being cumulative.

Updating to these hotfixes has required a number of emails to Adobe to get hotfixes for known issues that we cannot test against due to the urgency.