zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

Explorer ,
Dec 10, 2021 Dec 10, 2021

Copy link to clipboard

Copied

Does anyone know if the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) that was announced on 12/9/2021 will affect ColdFusion version 10 and 2018?

Views

36.8K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Dec 14, 2021 Dec 14, 2021

Hi Everyone,


We had originally published (on Dec 14) some workaround/mitigation steps in this article until the patch would be released. Since then, there have been updates and still further updates.

 

Dec 14: Technote with initial mitigations offered:

https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

 

Update Dec 17: Updates for CF2021 and 2018 were released, addressing this log4j vulnerability. The technote mentioned above was a preliminary response, offered on Dec 14.

...

Likes

Translate

Translate
replies 188 Replies 188
Community Beginner ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

On CF2018 step 6, do you need to rename the downloaded jar to log4j-core-2.9.0.jar or leave as log4j-core-2.9.0-logshell.jar?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

I would appreciate clarity here as well just to be sure.

 

-Tim

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

Point of clarification.  In stepping through the mitigation process for CF2018, step 5 starts with "...If you find log4j-core-2.9.0.jar...".  If I do NOT find log4j-core-2.9.0.jar, do I need to perform any of the steps after 5?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip step   5..

 

We are making correction in that. 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

Priyank,

Thanks for the update.  I wanted to mention that, step 5 of the mitigation instructions references the "log4j-core-2.9.0.jar" file, the included link actually downloads a file named "log4j-core-2.9.0.logshell.jar".  Are those files the same?

Also, in step 5, "Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed. The new file can be downloaded from here.", what is meant by "...with JNDILookUp class that you have removed..."?

Thanks,

Scott

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

Hi Everyone,


We had originally published (on Dec 14) some workaround/mitigation steps in this article until the patch would be released. Since then, there have been updates and still further updates.

 

Dec 14: Technote with initial mitigations offered:

https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

 

Update Dec 17: Updates for CF2021 and 2018 were released, addressing this log4j vulnerability. The technote mentioned above was a preliminary response, offered on Dec 14.

 

Update Dec 21: To address the vulnerabilities later found in log4j 2.16, those who have applied the most recent update can now implement the log4j 2.17 updates, as provided along with instructions here:

https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html 

 

Update Jan 11 2022: To address the vulnerabilities later found in log4j 2.17, those who have applied the most recent update can now implement the log4j 2.17.1 updates, as provided along with instructions here:

https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html 

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

I have to say i'm not impressed by Adobe taking four days to recommend a workaround the majority of aware CF admins have already applied since before the weekend.

Has customer data been at reasonable risk at all over last four days or is this still unclear?
Because if you're applying this fix just now while CF is in vulnerable you need to be doing more then merely setting that java argument...

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

Could you comment on the use of the 2.15.0 version of log4j instead of the modified 2.9.0 jar or removing of the JDNI class? I know alot of administrators, myself included, went that route while we were waiting for Adobe to release an official statement. Is an upgrade to 2.15.0 planned to be included on the patch scheduled for Friday?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

Priyank Shrivastava - 

Will the update released on Friday have the newest log4j release (released today):

https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

In my ColdFusion 2018 environment, I ran this and ran into an issue where my http://localhost:8501/CFIDE/administrator/index.cfm did not come up it said The Monitoring service is not available. (see attachment). 

 

When I added the following 2.16.0 file, the admin page comes up and the monitoring service starts. 

  1.  log4j-api-2.16.0.jar
  2.  log4j-core-2.16.0.jar
  3. log4j-to-slf4j-2.16.0.jar

 

The Adobe fix only covers log4j-core-2.9.0.jar doesnt cover log4j-to-slf4j & log4j-api, are they not needed? 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

quote

In my ColdFusion 2018 environment, I ran this and ran into an issue where my http://localhost:8501/CFIDE/administrator/index.cfm did not come up it said The Monitoring service is not available. (see attachment). 

 

When I added the following 2.16.0 file, the admin page comes up and the monitoring service starts. 

  1.  log4j-api-2.16.0.jar
  2.  log4j-core-2.16.0.jar
  3. log4j-to-slf4j-2.16.0.jar

 

The Adobe fix only covers log4j-core-2.9.0.jar doesnt cover log4j-to-slf4j & log4j-api, are they not needed? 

 


By @kennethullico

 

It sounds like you have misunderstood. The procedure is as follows.

1) Stop ColdFusion.

2) Replace the 3 files


/lib/log4j-api-2.13.3.jar
/lib/log4j-core-2.13.3.jar
/lib/log4j-to-slf4j-2.13.3.jar

 

with the 3 files

 

/lib/log4j-api-2.16.0.jar
/lib/log4j-core-2.16.0.jar
/lib/log4j-to-slf4j-2.16.0.jar

 

3) If and where you find log4j-core-2.9.0.jar, replace it with the patched file of the same name that is available at https://helpx.adobe.com/coldfusion/kb//lib/log4j-vulnerability-coldfusion.html

 

4) Restart ColdFusion.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

The instructions are not clear on what to do if you have CF 2018 with log4j 2.13.3.  Replace it with the downloadable one (log4j-core-2.9.0.jar)?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

quote

The instructions are not clear on what to do if you have CF 2018 with log4j 2.13.3.  Replace it with the downloadable one (log4j-core-2.9.0.jar)?


By @hammo7

No. 

The instructions are quite clear.

1. Search your ColdFusion installation for Log4J Jar files.

2. If you find

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-to-slf4j-2.13.3.jar

 

then stop ColdFusion and replace these Jar files with

 

log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
log4j-to-slf4j-2.15.0.jar

 

which you can download from

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.15.0/
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j/2.15.0/

 

3. If you find log4j-core-2.9.0.jar then, assuming you have stopped ColdFusion, replace this Jar - at the same location - with the Jar file of the same name that Adobe provides in the following page: https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html 

 

4. Restart ColdFusion.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

I can do that, but those steps do not appear in the instructions anywhere:

https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html 

So not 'quite' clear at all!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

Those specific instructions do not appear on that Adobe page because Adobe is not recommending to update the jar files - yet.  They are working on a patch (supposedly coming out tomorrow) that will include any new jars files.  As it states on that page:

"ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021.

In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released."

So their steps are for the "workaround/mitigations steps".  Which are adding the jvm argument and removing jndilookupclass from the jar (the 2.9 jar file).

The recommendations of going ahead and updating the core log4j files is coming from the community at this point.  Adobe should follow up with a proper patch very soon.

Hopefully that helps clear it up a bit.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 27, 2021 Dec 27, 2021

Copy link to clipboard

Copied

Hi @Priyank Shrivastava. ,

Are you and the ColdFusion Team aware of the urgency of doing the following:

  •  Updating the JAR installer and all relevant documentation to implement log4j 2.17, instead of log4j 2.16. As recently as December 21, 2021, the installers and documentation for ColdFusion 2021 Update 3 and ColdFusion 2018 Update 13 are still saying,
    "After applying the update, all log 4j 2.x-related jars will be upgraded to version 2.16.0."
    As 2.16.0 has been found to be vulnerable, you are, in so doing, actually urging developers to upgrade to a vulnerable version. That's not okay. 
  •  Updating the  ColdFusion 2021 Update 3 and ColdFusion 2018 Update 13 documentation to include all possible after-effects of these updates on previously installed updates.
    For example, suppose you're on ColdFusion 2018 Update 12, and have the following hot-fix JARs in your /lib/updates/ folder:
    hf201800-4208163.jar
    hf201800-4212383.jar
    hf201800-4212487.jar 
    These JARs disappear automagically when you install ColdFusion 2018 Update 13, leaving you in limbo.
    In other words, at a time of crisis, where urgency is the order of the day, this update provides more questions than answers. 
    Are these JARs included in Update 13?
    Do you have to back up existing JARs beforehand, then copy them back into /lib/updates/ after installing Update 13? If so, which JARs do you have to back up?
    The documentation must anticipate and address any such questions.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 29, 2021 Dec 29, 2021

Copy link to clipboard

Copied

quote

Hi @Priyank Shrivastava. ,

Are you and the ColdFusion Team aware of the urgency of doing the following:

  •  Updating the JAR installer and all relevant documentation to implement log4j 2.17, instead of log4j 2.16. As recently as December 21, 2021, the installers and documentation for ColdFusion 2021 Update 3 and ColdFusion 2018 Update 13 are still saying,
    "After applying the update, all log 4j 2.x-related jars will be upgraded to version 2.16.0."
    As 2.16.0 has been found to be vulnerable, you are, in so doing, actually urging developers to upgrade to a vulnerable version. That's not okay. 
  •  Updating the  ColdFusion 2021 Update 3 and ColdFusion 2018 Update 13 documentation to include all possible after-effects of these updates on previously installed updates.
    For example, suppose you're on ColdFusion 2018 Update 12, and have the following hot-fix JARs in your /lib/updates/ folder:
    hf201800-4208163.jar
    hf201800-4212383.jar
    hf201800-4212487.jar 
    These JARs disappear automagically when you install ColdFusion 2018 Update 13, leaving you in limbo.
    In other words, at a time of crisis, where urgency is the order of the day, this update provides more questions than answers. 
    Are these JARs included in Update 13?
    Do you have to back up existing JARs beforehand, then copy them back into /lib/updates/ after installing Update 13? If so, which JARs do you have to back up?
    The documentation must anticipate and address any such questions.

By @BKBK

Hi @Priyank Shrivastava. ,

Nevermind. I have received an answer from Adobe ColdFusion Support, which I should like to share.

It reads:

"You need to install all the hotfixes that you have on update 12 after installing update 13, i.e you need to apply below patches after applying update 13

hf201800-4208163.jar
hf201800-4212383.jar
hf201800-4212487.jar"

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jan 04, 2022 Jan 04, 2022

Copy link to clipboard

Copied

@Priyank Shrivastava. , So now our security people have come back and said:

 

 "There have already been several vulnerabilities attached to log4j since the first came out.  1.x has not been supported since 2016, so they need to be looking to ditch it or upgrade it."

 

You are forcing us into Dot Net and out of Coldfusion!  Fix this or tell us how, or soon their won't be a CF community that you can ignore.  The 1.x version needs to go.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

Hi All,

 

Thanks for sharing all the info here.

 

On CF2021 I did the manual change to 2.15 and jvm.config java-args add yesterday. All ok it seems. Anyone done the manual change to 2.16?

 

Or should one wait till Friday...?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

I did the change to 2.16.0 last night without an issue.  Don't know if it is more secure, but it is updated!

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

Boldly changed to 2.16 here too just a minute ago. Server (CF2021 Standard) restarted and running ok.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

We made the 2.16 change with CF2018 Enterprise through IIS and things seem to be running ok.  Internally based on our security teams and the statement from them of "Previous mitigation methods are no longer a viable option" (this wasn't a direct comment abotu coldfusion but about the issue as a whole" We felt that 2.16 was the best steps forwad

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

Glad to hear you're ok too.

 

And just fyi, did that on Ubuntu 20.04 LTS Server virtual machine on Ubuntu 20.04 LTS Minimal with QEMU/KVM, et al, host machine.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

We updated to 2.16 last night on our CF2018 Enterprise and CF2021 Enterprise instances (IIS 10) and have been running all day without issues.   Many thanks to the advice posted here!

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

We did the same, no problems.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines