zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

I would appreciate clarity here as well just to be sure.

-Tim

If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip step   5..

We are making correction in that. 

Priyank,

Thanks for the update.  I wanted to mention that, step 5 of the mitigation instructions references the "log4j-core-2.9.0.jar" file, the included link actually downloads a file named "log4j-core-2.9.0.logshell.jar".  Are those files the same?

Also, in step 5, "Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed. The new file can be downloaded from here.", what is meant by "...with JNDILookUp class that you have removed..."?

Thanks,

Scott

I have to say i'm not impressed by Adobe taking four days to recommend a workaround the majority of aware CF admins have already applied since before the weekend.

Has customer data been at reasonable risk at all over last four days or is this still unclear?
Because if you're applying this fix just now while CF is in vulnerable you need to be doing more then merely setting that java argument...

Could you comment on the use of the 2.15.0 version of log4j instead of the modified 2.9.0 jar or removing of the JDNI class? I know alot of administrators, myself included, went that route while we were waiting for Adobe to release an official statement. Is an upgrade to 2.15.0 planned to be included on the patch scheduled for Friday?

Will the update released on Friday have the newest log4j release (released today):

https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/

In my ColdFusion 2018 environment, I ran this and ran into an issue where my http://localhost:8501/CFIDE/administrator/index.cfm did not come up it said The Monitoring service is not available. (see attachment). 

When I added the following 2.16.0 file, the admin page comes up and the monitoring service starts. 

1.  log4j-api-2.16.0.jar
2.  log4j-core-2.16.0.jar
3. log4j-to-slf4j-2.16.0.jar

The Adobe fix only covers log4j-core-2.9.0.jar doesnt cover log4j-to-slf4j & log4j-api, are they not needed? 

In my ColdFusion 2018 environment, I ran this and ran into an issue where my http://localhost:8501/CFIDE/administrator/index.cfm did not come up it said The Monitoring service is not available. (see attachment). 

 

When I added the following 2.16.0 file, the admin page comes up and the monitoring service starts. 

1.  log4j-api-2.16.0.jar
2.  log4j-core-2.16.0.jar
3. log4j-to-slf4j-2.16.0.jar

 

The Adobe fix only covers log4j-core-2.9.0.jar doesnt cover log4j-to-slf4j & log4j-api, are they not needed? 

 

By @KennethMHutch

It sounds like you have misunderstood. The procedure is as follows.

1) Stop ColdFusion.

2) Replace the 3 files

/lib/log4j-api-2.13.3.jar
/lib/log4j-core-2.13.3.jar
/lib/log4j-to-slf4j-2.13.3.jar

with the 3 files

/lib/log4j-api-2.16.0.jar
/lib/log4j-core-2.16.0.jar
/lib/log4j-to-slf4j-2.16.0.jar

3) If and where you find log4j-core-2.9.0.jar, replace it with the patched file of the same name that is available at https://helpx.adobe.com/coldfusion/kb//lib/log4j-vulnerability-coldfusion.html

4) Restart ColdFusion.

The instructions are not clear on what to do if you have CF 2018 with log4j 2.13.3.  Replace it with the downloadable one (log4j-core-2.9.0.jar)?

The instructions are not clear on what to do if you have CF 2018 with log4j 2.13.3.  Replace it with the downloadable one (log4j-core-2.9.0.jar)?

By @hammo7

No. 

The instructions are quite clear.

1. Search your ColdFusion installation for Log4J Jar files.

2. If you find

log4j-api-2.13.3.jar
log4j-core-2.13.3.jar
log4j-to-slf4j-2.13.3.jar

then stop ColdFusion and replace these Jar files with

log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
log4j-to-slf4j-2.15.0.jar

which you can download from

https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.15.0/
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j/2.15.0/

3. If you find log4j-core-2.9.0.jar then, assuming you have stopped ColdFusion, replace this Jar - at the same location - with the Jar file of the same name that Adobe provides in the following page: https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html 

4. Restart ColdFusion.

I can do that, but those steps do not appear in the instructions anywhere:

https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html 

So not 'quite' clear at all!

Those specific instructions do not appear on that Adobe page because Adobe is not recommending to update the jar files - yet.  They are working on a patch (supposedly coming out tomorrow) that will include any new jars files.  As it states on that page:

"ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021.

In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released."

So their steps are for the "workaround/mitigations steps".  Which are adding the jvm argument and removing jndilookupclass from the jar (the 2.9 jar file).

The recommendations of going ahead and updating the core log4j files is coming from the community at this point.  Adobe should follow up with a proper patch very soon.

Hopefully that helps clear it up a bit.

Hi @Priyank Shrivastava. ,

Are you and the ColdFusion Team aware of the urgency of doing the following:

•  Updating the JAR installer and all relevant documentation to implement log4j 2.17, instead of log4j 2.16. As recently as December 21, 2021, the installers and documentation for ColdFusion 2021 Update 3 and ColdFusion 2018 Update 13 are still saying,
  "After applying the update, all log 4j 2.x-related jars will be upgraded to version 2.16.0."
  As 2.16.0 has been found to be vulnerable, you are, in so doing, actually urging developers to upgrade to a vulnerable version. That's not okay. 
•  Updating the  ColdFusion 2021 Update 3 and ColdFusion 2018 Update 13 documentation to include all possible after-effects of these updates on previously installed updates.
  For example, suppose you're on ColdFusion 2018 Update 12, and have the following hot-fix JARs in your /lib/updates/ folder:
  hf201800-4208163.jar
  hf201800-4212383.jar
  hf201800-4212487.jar 
  These JARs disappear automagically when you install ColdFusion 2018 Update 13, leaving you in limbo.
  In other words, at a time of crisis, where urgency is the order of the day, this update provides more questions than answers. 
  Are these JARs included in Update 13?
  Do you have to back up existing JARs beforehand, then copy them back into /lib/updates/ after installing Update 13? If so, which JARs do you have to back up?
  The documentation must anticipate and address any such questions.

Hi @Priyank Shrivastava. ,

Are you and the ColdFusion Team aware of the urgency of doing the following:

•  Updating the JAR installer and all relevant documentation to implement log4j 2.17, instead of log4j 2.16. As recently as December 21, 2021, the installers and documentation for ColdFusion 2021 Update 3 and ColdFusion 2018 Update 13 are still saying,
  "After applying the update, all log 4j 2.x-related jars will be upgraded to version 2.16.0."
  As 2.16.0 has been found to be vulnerable, you are, in so doing, actually urging developers to upgrade to a vulnerable version. That's not okay. 
•  Updating the  ColdFusion 2021 Update 3 and ColdFusion 2018 Update 13 documentation to include all possible after-effects of these updates on previously installed updates.
  For example, suppose you're on ColdFusion 2018 Update 12, and have the following hot-fix JARs in your /lib/updates/ folder:
  hf201800-4208163.jar
  hf201800-4212383.jar
  hf201800-4212487.jar 
  These JARs disappear automagically when you install ColdFusion 2018 Update 13, leaving you in limbo.
  In other words, at a time of crisis, where urgency is the order of the day, this update provides more questions than answers. 
  Are these JARs included in Update 13?
  Do you have to back up existing JARs beforehand, then copy them back into /lib/updates/ after installing Update 13? If so, which JARs do you have to back up?
  The documentation must anticipate and address any such questions.

By @BKBK

Hi @Priyank Shrivastava. ,

Nevermind. I have received an answer from Adobe ColdFusion Support, which I should like to share.

It reads:

"You need to install all the hotfixes that you have on update 12 after installing update 13, i.e you need to apply below patches after applying update 13

hf201800-4208163.jar
hf201800-4212383.jar
hf201800-4212487.jar"

@Priyank Shrivastava. , So now our security people have come back and said:

 "There have already been several vulnerabilities attached to log4j since the first came out.  1.x has not been supported since 2016, so they need to be looking to ditch it or upgrade it."

You are forcing us into Dot Net and out of Coldfusion!  Fix this or tell us how, or soon their won't be a CF community that you can ignore.  The 1.x version needs to go.

I did the change to 2.16.0 last night without an issue.  Don't know if it is more secure, but it is updated!

Boldly changed to 2.16 here too just a minute ago. Server (CF2021 Standard) restarted and running ok.

We made the 2.16 change with CF2018 Enterprise through IIS and things seem to be running ok.  Internally based on our security teams and the statement from them of "Previous mitigation methods are no longer a viable option" (this wasn't a direct comment abotu coldfusion but about the issue as a whole" We felt that 2.16 was the best steps forwad

Glad to hear you're ok too.

And just fyi, did that on Ubuntu 20.04 LTS Server virtual machine on Ubuntu 20.04 LTS Minimal with QEMU/KVM, et al, host machine.

We updated to 2.16 last night on our CF2018 Enterprise and CF2021 Enterprise instances (IIS 10) and have been running all day without issues.   Many thanks to the advice posted here!

We did the same, no problems.