zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

Explorer ,
Dec 10, 2021 Dec 10, 2021

Copy link to clipboard

Copied

Does anyone know if the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) that was announced on 12/9/2021 will affect ColdFusion version 10 and 2018?

Views

34.9K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Dec 14, 2021 Dec 14, 2021
Hi Everyone, We had originally published (on Dec 14) some workaround/mitigation steps in this article until the patch would be released. Since then, there have been updates and still further updates. Dec 14: Technote with initial mitigations offered: https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html Update Dec 17: Updates for CF2021 and 2018 were released, addressing this log4j vulnerability. The technote mentioned above was a preliminary response, offered on Dec 14....

Likes

Translate

Translate
replies 188 Replies 188
Community Beginner ,
Dec 28, 2021 Dec 28, 2021

Copy link to clipboard

Copied

Regarding ColdFusion 2016...

 

Is there anything that can be done to update from Log4j v.1.x to v.2.1.7 or newer. 

 

As of CVE-2021-4104, we are being forced to upgrade Log4j. (Upgrade to Apache Log4j version 2.16.0 or later since 1.x is end of life.)

 

Would really appreciate anyone's feedback regarding this? I understand that core support for ColdFusion 2016 has expired, but is there anything that can be done to manually update these files?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 29, 2021 Dec 29, 2021

Copy link to clipboard

Copied

And now there is a new version of Log4J 2.17.1 https://logging.apache.org/log4j/2.x/security.html  to deal with https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 which is a moderate severity.
But as mentioned before Log4J is under scrutinity and our infosec team is asking relative quick response even for such moderate risk.

 

Also, how does you get all the hot fixes patches for 2018 update 13?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 30, 2021 Dec 30, 2021

Copy link to clipboard

Copied

 

And now there is a new version of Log4J 2.17.1 https://logging.apache.org/log4j/2.x/security.html  to deal with https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 which is a moderate severity.


By @NicoTexas

I have created a bug ticket on this at Tracker. ( https://tracker.adobe.com/#/view/CF-4212652 ) Unfortuinately, in recent days, Tracker fails to show any ColdFusion bug ticket created.

 

 

Also, how does you get all the hot fixes patches for 2018 update 13?

I would proceed as follows (in my test environment first, before moving on to production):

 

  1. To prepare to install Update 13, make a backup copy of any hotfix JARs present in Update 12. If you have any, they will be in /lib/updates/. For example:

/lib/updates/hf201800-4208163.jar
/lib/updates/hf201800-4212383.jar

 

2. Install Update 13: https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-13.html 

 

3. Replace the following log4j JARs, where x is between 10.0 and 17.0)

/lib/log4j-api-2.x.jar
/lib/log4j-core-2.x.jar
/lib/log4j-to-slf4j-2.x.jar

 

respectively with

 

/lib/log4j-api-2.17.1.jar
/lib/log4j-core-2.17.1.jar
/lib/log4j-to-slf4j-2.17.1.jar

 

4. Copy any hotfix JARs you backed up back to /lib/updates/
5. Restart ColdFusion.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jan 03, 2022 Jan 03, 2022

Copy link to clipboard

Copied

Following up on BKBK's suggestion of how to proceed with updates, as well a tracker ticket he offered (on log4j 2.17.1), I have a couple of thoughts that I hope may help some readers, based on how I (as well as he) have been helping folks with these updates for a couple of weeks.

 

1) Curiously, BKBK, that tracker ticket is not there. Did you get notification from them as to why? I see someone else created one the next day, https://tracker.adobe.com/#/view/CF-4212654, so folks could at least watch that (and vote for that, as I just did).

 

2) Also, as for his instructions to backup and restore "of any hotfix JARs present in Update 12"), I do fear some readers might easily missing some subtle points.

 

a) First, when he refers to "any hotfix jars present" in that lib/updates folder, please note he means any jars whose names start with "hf". Those are special hotfix jars that Adobe sometimes offers to fix bugs in some given CF update. (I have a blog post with more on those, if interested.) My point here, though, is that you will ALSO see there a file starting with a whose names "chf", and that is THE hotfix file for that update you're currently on. You do NOT want to "restore" that older CHF jar into your new update, only any HF jars.

 

b) Further, you really do want to do this only if you are the previous CF update, update 12 in the case of CF2018. If you are on any PRIOR update of CF2018 before doing this latest update, and you find any hotfix jars there, you do NOT want to restore those. They are fixes to previous updates, which were resolved in later updates. More on that in a moment.

 

c) Third and finally, he is referring to "update 12" (of CF2018) here simply because he was responding to a question regarding CF2018,. But all this applies as well to CF2021. Those who may be on update 2, who find any hf*.jar files in the lib/updates, would want to restore those after doing update 3. (But if you are on update 1 or have no updates, then don't restore any hf*.jar files.)

 

3) For those whose heads may be spinning and who could use some additional context: the problem all this is referring to is that update 12 of CF2018 (as well as update 2 of CF2021) had some bugs, and Adobe offered some hotfix jar (hf*.jar) files to address those, which some people had added to their update 12 (or update 2 of CF2021) implementations. When you move to update 13 (or update 3 of CF2021)--or indeed when you move to any new CF update, the update mechanism intentionally removes any such hf.* jar files that had been in the lib/updates. The update mechanism presumes that the new update incorporates any and all fixes to the prior updates.

 

But in the case of this latest emergency CF update released Dec 17, Adobe ONLY took the previous version (update 12 for CF2018, or update 2 of CF2021) and they modified it to update the log4j 2 files (to 2.16) and also to update some log4j1 jars.  But they specifically did NOT incorporate ANY bug fixes to updates 12 or 2.

 

And this is why people who move from THOSE updates--who had applied hotfix jars to THOSE updates--need to re-implement those hotfix jars.

 

On the other hand, if you are MOVING to these latest versions of CF2018 or 2021 from some EARLIER version, now YOU are faced with the prospect of being hit by the bugs that were introduced in updates 12 and 2, respectively, and which remain in updates 13 and 3.

 

4) Yes, all this is messy. Yes, some will complain that they SHOULD have rolled in any and all current bug fixes. But that would take time to do, test, do integration testing, etc. and as this was an emergency update they opted for just modifying things based on the previous update.

 

Others (especially those on update 12 or 2, with such hotfixes) might have complained if they HAD done anything more than "just address the log4j issue".

 

And of course, still others will wish they had somehow provided for ONLY dealing with that for WHATEVER current update (of CF2018 or 2021) that someone was on. Then folks who had NOT yet moved to update 12 or update 2 would not now be encountering issues. (And sadly, no, there is no current listing from Adobe of what hotfixes DO exist for updates 12/2 that should be considered for those moving to updates 13/3.)

 

This is the current state of things, and we now wait for Adobe to clarify proceeding with updating to the 2.17.1 (or later) jars. 

We can certainly expect that some later update 14 or 4 WILL incorporate the needed bug fixes...unless some new emergency interrupts those plans.

 

(And of course, none of this discussion of 2.x log4j jars applies to CF2016 or earlier, as they don't include that by default. And Adobe has offered no guidance on updating the log4j 1.x jars they may contain.)

 

PS Actually, there is still one remaining issue. As I brought up back on Dec 27 here (as have others), even CF2021 and 2018 include log4j 1.x jars in the cfusion/jetty folder (if one added the CF "add on service") that were NOT modified by the update to CF. Adobe has yet to respond to or address that, that I have seen.


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 03, 2022 Jan 03, 2022

Copy link to clipboard

Copied

Charlie, 

Thanks for the explnations but I also think you helped illustrate one of the biggest issues and concerns with how Adobe is handling this and really most of there updates.  These updates are intended to be done to a Enterprise Level Production class system,  Which means they need to be releiable/fail safe and while issues may be caught on a DEV machiene in this case you would still be forced becasue of the security issue to install on your production system and deal with readding the hotfixes etc while taking an outage that could effect your SLA.  I exepect these kind of issues from consumer grade software but not Enterprsie Production level software

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jan 03, 2022 Jan 03, 2022

Copy link to clipboard

Copied

I hear you, T Brown. But I'm just a messenger. I don't "make the rules" (and can't even "enforce them", to turn that phrase).

 

To be clear, I don't work for Adobe (and don't have much more influence than anyone else). You may have known that and are just making your observation to put the lament out there, and fair enough. I just wanted to be clear, for you and other readers. (Someone in another thread last week DID say they presumed I worked for Adobe, but I never have.)


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 07, 2022 Jan 07, 2022

Copy link to clipboard

Copied

Guilty as charged. I am however hoping that Adobe will update CF2016 as log4j 1.x is EOL and unsupported, and vulnerable to other CVEs.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 07, 2022 Jan 07, 2022

Copy link to clipboard

Copied

Same problem here with CF2016 but even when we finally get the resources to upgrade to CF2021 (that's our plan) we still have that problem because log4j 1.x is in CF2021 too.

 

Priyank has said they would address that in a future release but we need some timelines as we are facing some pretty intense scrutiny regarding log4j 1.x.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jan 07, 2022 Jan 07, 2022

Copy link to clipboard

Copied

Savaticus, cf2016 and earlier are no longer supported by Adobe, which means no more updates--not even security updates. 


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jan 03, 2022 Jan 03, 2022

Copy link to clipboard

Copied

quote
 

And now there is a new version of Log4J 2.17.1 https://logging.apache.org/log4j/2.x/security.html  to deal with https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 which is a moderate severity.


By @NicoTexas

I have created a bug ticket on this at Tracker. ( https://tracker.adobe.com/#/view/CF-4212652 ) Unfortuinately, in recent days, Tracker fails to show any ColdFusion bug ticket created.

 

By @BKBK

 

When you follow that Tracker link, you arrive at a page that tells you:

 

"No issue found"

 

Adobe has informed me that that is so by design for Tracker tickets related to security.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 03, 2022 Jan 03, 2022

Copy link to clipboard

Copied

@BKBK 
Were you successful in your test scenario deploying 2.17.1 after applying update 13?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Jan 04, 2022 Jan 04, 2022

Copy link to clipboard

Copied

quote

@BKBK 
Were you successful in your test scenario deploying 2.17.1 after applying update 13?


By @jstratton77

Hi @jstratton77 

How did you guess? 🙂 I am currently testing ColdFusion 2018 Update 13 with log4j version 2.17.1 JARs. When I finish, I shall of course share the result with the forum.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jan 11, 2022 Jan 11, 2022

Copy link to clipboard

Copied

In case you missed it, Adobe has released a statement on this issue today January 11, 2022. 

Log4j 2.17.0 vulnerability on ColdFusion 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jan 11, 2022 Jan 11, 2022

Copy link to clipboard

Copied

How much would you like to bet that someone will prove them wrong? If they haven't already.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines