zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

Report · Dec 10, 2021

Does anyone know if the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) that was announced on 12/9/2021 will affect ColdFusion version 10 and 2018?

Report · Dec 16, 2021

Or should one wait till Friday...?

By @aarnir71156744

No. The description, zero-day, signals to you how much time you have to fix the problem: 0 days.

Report · Dec 15, 2021

For Folks reading this as of Wednesday 12 pm ET Dec 15 2021, As per the Adobe link https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

Can you please be specific with instructions because it has definitely caused some confusion on the steps to perform. I will give example

The link https://cfdownload.adobe.com/pub/adobe/coldfusion/logshell/2.9.0/log4j-core-2.9.0.jar earlier was downloading a file named log4j-core-2.9.0-logshell.jar (as of yesterday Dec 14 2021 ). I renamed it myself by removing -logshell from the file log4j-core-2.9.0.jar .Looks like Adobe has fixed that since then. I downloaded file today Dec 15 2021 and its named correctly log4j-core-2.9.0.jar . Can someone from Adobe post notes at top of the page https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html with last updated date time and also what typos/wrong file name have been fixed so people coming to your link know they are looking at latest information.
Instruction for ColdFusion 2018. ColdFusion 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted. So you are saying both log4j 2.13.3 and/or 2.9.0 are impacted but the file provided to download is log4j-core-2.9.0.jar. Question : Should we remove/update both of these log4j 2.13.3 and/or 2.9.0 from ColdFusion 2018 or just log4j-core-2.9.0.jar? I found log4j-core-2.9.0.jar in ColdFusion2018\CF_Instance\hf-updates\hf-2018-00011-326016\backup\lib and thats the only one we replaced even though its part of hf-updates backup folder. So what is the deal with log4j 2.13.3 ? Are we supposed to leave it like that? Please clarify ASAP.

Report · Dec 15, 2021

The 2.16 version will work also

Report · Dec 15, 2021

Did anyone run into an issue with the CF Admin page after applying the fix?

I applied the fix and everything appears to be running ok, but when I try to launch the CF admin page I get this message.

The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.

The following information is meant for the website developer for debugging purposes.

Error Occurred While Processing Request

The Monitoring service is not available.

This exception is usually caused by service startup failure. Check your server configuration.

The error occurred in Application.cfm: line 114
Called from Application.cfm: line 4
Called from Application.cfm: line 1

-1 : Unable to display error's location in a CFML template.

Resources:

Check the ColdFusion documentation to verify that you are using the correct syntax.
Search the Knowledge Base to find a solution to your problem.

Browser	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Remote Address	127.0.0.1
Referrer
Date/Time	15-Dec-21 05:07 PM

Stack Trace

at cfApplication2ecfm1524830424._factor3(/CFIDE/administrator/Application.cfm:114) at cfApplication2ecfm1524830424._factor11(/CFIDE/administrator/Application.cfm:4) at cfApplication2ecfm1524830424.runPage(/CFIDE/administrator/Application.cfm:1)

coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Monitoring service is not available.

	at coldfusion.server.ServiceFactory.getMonitoringService(ServiceFactory.java:227)

	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

	at java.base/java.lang.reflect.Method.invoke(Method.java:566)

	at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:101)

	at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3627)

	at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3604)

	at cfApplication2ecfm1524830424._factor3(/CFIDE/administrator/Application.cfm:114)

	at cfApplication2ecfm1524830424._factor11(/CFIDE/administrator/Application.cfm:4)

	at cfApplication2ecfm1524830424.runPage(/CFIDE/administrator/Application.cfm:1)

	at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262)

	at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:735)

	at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565)

	at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)

	at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33)

	at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:471)

	at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43)

	at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)

	at coldfusion.filter.PathFilter.invoke(PathFilter.java:162)

	at coldfusion.filter.IpFilter.invoke(IpFilter.java:45)

	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:96)

	at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:78)

	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)

	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)

	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60)

	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)

	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

	at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)

	at coldfusion.CfmServlet.service(CfmServlet.java:226)

	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:228)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46)

	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at coldfusion.filter.ClickjackingProtectionFilter.doFilter(ClickjackingProtectionFilter.java:75)

	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:373)

	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)

	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)

	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1723)

	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

	at java.base/java.lang.Thread.run(Thread.java:834)

Report · Dec 15, 2021

When I added the wrong jar I was getting a 500 error, but it was for the admin and the site. Did you have the correct jars? Many are named very similarly.

Report · Dec 15, 2021

Hello,

We applied the mitigation until the patch is released. In doing so, it broke our SSO integration.

what we did:

-Dlog4j2.formatMsgNoLookups=true to Jvm.config

the error we get when the saml request is initialized

"The system has attempted to use a undefined value, which usually indicates a programming error...."

removing the mitigation makes it work -

Report · Dec 15, 2021

Just a follow up question on this. When the sso broke it wasn't around the time that the AWS outage was occuring. Because ours broke with strange error messages around then and the underlying cause was our MFA provider went down with the outage

Report · Dec 16, 2021

Hello,

We applied the mitigation until the patch is released. In doing so, it broke our SSO integration.

what we did:

-Dlog4j2.formatMsgNoLookups=true to Jvm.config

the error we get when the saml request is initialized

"The system has attempted to use a undefined value, which usually indicates a programming error...."

removing the mitigation makes it work -

By @Pete220652393l9r

Either

(1) you made an error when changing the JVM settings;

or

(2) that was just coincidendence, and the error is referring to something else.

In any case, you may ignore the JVM flag, and solve the problem by replacing the Log4J jars. The latter method has been discussed exhaustively in this thread.

Report · Dec 16, 2021

Can someone at Adobe please reach out and tell us what the 2.x versions of log4j are used for? I have contacted every support group I can and am getting nothing we are week out and I feel like adobe has just abandoned this thread since they put out the remediation steps.

Most of the jar files I can find in the ColdFusion application files are referencing log4j 1.x. Some information about how ColdFusion might be affected would be seriously benefecial to admins. I even think the verbiage changed on the https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html page and no longer includes the "Adobe has discovered no indication to suggest custom data has been impacted as a result of this issue".

Which if it has, is very concerning, and we need to get clear information as to the extent that we were vulnerable.

Report · Dec 17, 2021

Yes this.
We need to know if there was a window of reasonable vulnerability at any point.
This is essential also from a compliancy angle!

It's been a week and I still can't tell anyone more then that we've remediated the issue in our expensively licensed webserver.
There's no patch. And there's no info to the extend coldfusion was vulnerable to begin with.

Guys over at LUCEE had this cleared up the day it was discovered, just saying.

@neochad I don't think the sentence about adobe not having found a exploitable problem was ever actually on that support page. It's a service desk reply someone got that should be somewhere in the comments here.
Not that that's in any way relevant to the point at hand, but just saying.

Report · Dec 17, 2021

You could very well be right, I may have transposed that in the flurry of responses that have been floating around.

Report · Dec 16, 2021

FYI in regards to version 2.15, I just received this notice from our datacenter provider:

"... an additional vulnerability has been identified in the previously released fix for CVE-2021-44228. This new vulnerability impacts Apache Log4j 2.15.0 and has been identified as CVE-2021-45046. If exploited, this vulnerability could result in a denial of service (DOS) attack. This vulnerability has been addressed in Log4j version 2.16.0."

Report · Dec 16, 2021

FYI in regards to version 2.15, I just received this notice from our datacenter provider:

"... an additional vulnerability has been identified in the previously released fix for CVE-2021-44228. This new vulnerability impacts Apache Log4j 2.15.0 and has been identified as CVE-2021-45046. If exploited, this vulnerability could result in a denial of service (DOS) attack. This vulnerability has been addressed in Log4j version 2.16.0."

By @paule12345

Which doesn't surprise me. I think it's best to implement solutions as soon as they come along. So, you should move from 2.15 to 2.16 right away. After all, you have 0 days to act. 🙂

Report · Dec 17, 2021

From my infosec team the new CVE on 2.15.0 is not as bad as the one it fixed and is not a 0 day.
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Its severity base score is 3.7.where https://nvd.nist.gov/vuln/detail/CVE-2021-44228 was scored as a 10 on 10.

Disclaimer, everyone is different and all depends on your configuration, setup, and usage of coldfusion.

Report · Dec 17, 2021

Hi All,

We have released securiy update, please update your servers even if you have followed the mitigation steps. You need to reapply any private patch that you received from us ex. QoQ as this is purely the security update.

https://helpx.adobe.com/coldfusion/kb/coldfusion-api-manager-updates.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-3.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-performance-monitoring-toolset-update-3.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-13.html

Please let us know in case of any query.

Thanks,
Priyank Shrivastava

Report · Dec 17, 2021

I don't see real information about what it is changing or how to confirm. The links on the 2018 page all seem to point to old FAQs and previous updates. Am I missing something? Blind faith that it is all good?

Report · Dec 17, 2021

@Ripley Casdorph Usually we have the Security Bulletin available for the update. This time we have released an update and mentioned everything in our article.

This is an official Adobe ColdFusion update and you can trust us. We have checked everything to secure the server.

Thanks,
Priyank Shrivastava

Report · Dec 17, 2021

Hi Priyank

Thanks for releasing the patch. I can see that it added log4j 2.16 libraries in cfusion/lib but it left my patched log4j 2.15 libraries there too so I will remove those so only the latest version remain.

Are there any plans to upgrade the log4j 1.2 libraries to log4j 2.x? A scan has identified these in cf-logging.jar. Our organizational IT security guidance is that we must migrate all log4j 1.2 to log4j 2.x or will need to shut down services because of previously logged CVE vulnerabilities in log4j 1.2 and because log 4j 1.2 is no longer actively maintained.

Thanks for your help

Report · Dec 17, 2021

@EvanSinceCF31

I was expecting this question and thanks that you asked. For Log4j1.2 libraries, we have received the tickets and we have made changes to the version which is with update and I can assure that it is not vulnerable. The scanner will flag it because of the version however, we have mitigated the security issue from this library.

We will be upgrading the library in future update. At this moment, that is maximum information, I can share with you.

Thanks,
Priyank Shrivastava

Report · Dec 17, 2021

Thanks Priyank, I appreciate the quick reply.

I could see the SocketServer.class was removed from cf-logging.jar which should mitigate the risk. I have some test scripts I can use to illustrate this to our security team.

I'll pass your response back to our security team. Hopefully coming from Adobe they will agree this is an acceptable action until a more complete migration from log4j 1.2 can be completed.

Report · Dec 17, 2021

Correct me if I am wrong, but I thought log4j 1.x was vulnerable when using the JMSAppender, I didn't see that class pre or post Update 13, but I did see those SocketServer.class removed in the Update 13 version.

Was SocketServer.class another potential for Log4Shell or was that just being cautious?

Report · Dec 17, 2021

@neochad Unfortunetly, I cannot share much details here. You can check the CVE listed in our article and find the details there.

Thanks,
Priyank Shrivastava

Report · Dec 17, 2021

A picture of the log4j vulnerability:

Report · Dec 17, 2021

The patch notes indicate that this is a cumulative patch: "The updates below are cumulative and contain all updates from previous ones." Is there a discrete patch available to address just the specific vulnerability? If someone has an issue with a particular update it seems there is no opportunity to avoid the prior update when applying update 13.

Report · Dec 17, 2021

Hi @John22299327at42

Currently, we don't have that mechanism and you have to apply the other updates and that cannot be skipped. However, we are discussing to make it separate so users can apply the security update without installing the bug fixes.

Thanks,
Priyank Shrivastava

zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

1 Correct answer

The Monitoring service is not available.