Copy link to clipboard
Copied
Does anyone know if the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) that was announced on 12/9/2021 will affect ColdFusion version 10 and 2018?
Hi Everyone,
We had originally published (on Dec 14) some workaround/mitigation steps in this article until the patch would be released. Since then, there have been updates and still further updates.
Dec 14: Technote with initial mitigations offered:
https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html
Update Dec 17: Updates for CF2021 and 2018 were released, addressing this log4j vulnerability. The technote mentioned above was a preliminary response, offered on Dec 14.
...Copy link to clipboard
Copied
Is there an update on this specific request to have only this issue addressed? We're experiecing an issue with cumulative patches wehre our QoQ are breaking. Per another post Adobe has a fix for it but we won't have time to test it all.
Copy link to clipboard
Copied
I'm still using CF10, which based on this thread seems like it's probably not affected by this exploit. But, if I do add the "-Dlog4j2.formatMsgNoLookups=true" to my java args, will it be a problem?
Copy link to clipboard
Copied
I'm still using CF10, which based on this thread seems like it's probably not affected by this exploit. But, if I do add the "-Dlog4j2.formatMsgNoLookups=true" to my java args, will it be a problem?
By @Whatfore
I think it won't be a problem. However, I would suggest that you don't add it.
It is bad practice to initialize variables that are never used anywhere in your application. The same applies here. After all, -Dlog4j2.formatMsgNoLookups=true is just Java initialization code.
Copy link to clipboard
Copied
It appears something else changed besides log4j in the hotfix v3 for 2021
QoQ started returning: java.lang.UnsupportedOperationException: getColumnType() at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:783) at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:773)
Query is basic:
<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(last_count) AS last_count,
SUM(proj_amount) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>
Adding cast() didn't help either
<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(CAST(last_count AS INTEGER)) AS last_count,
SUM(CAST(proj_amount AS DOUBLE)) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>
Copy link to clipboard
Copied
looks like Update 3 removed hotfixes that might have been applied such as hf202100-4212383.jar. Re-installing fixed.
Copy link to clipboard
Copied
It appears something else changed besides log4j in the hotfix v3 for 2021
QoQ started returning: java.lang.UnsupportedOperationException: getColumnType() at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:783) at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:773)
Query is basic:
<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(last_count) AS last_count,
SUM(proj_amount) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>
Adding cast() didn't help either
<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(CAST(last_count AS INTEGER)) AS last_count,
SUM(CAST(proj_amount AS DOUBLE)) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>
By @rgjason2
If so, please create a bug ticket.
Copy link to clipboard
Copied
my developer faced a siialr issue - probably the group by doing it
Copy link to clipboard
Copied
The solution is to to add the jar that was offered for update 2 (and 12, for cf2021).
See:
https://tracker.adobe.com/#/view/CF-4212383
As the Adobe info (in some pages) on the update says, they did not incorporate ANY current fixes to ANY bugs in update 2 (or 12). They ONLY updated the log4j libraries.
Copy link to clipboard
Copied
@Priyank Shrivastava. What is happening with extra DoS vulnerability in log4j 2.16? THis has now been updated to 2.17.
Will Adobe be updating the hotfix? Should we manually update?
Copy link to clipboard
Copied
Hmm,
A quick manual try on a local vbox to 2.17 gives a bunch errors after cf restart.
Going back to 2.16 after that, same. Err...
Copy link to clipboard
Copied
A quick manual try on a local vbox to 2.17 gives a bunch errors after cf restart.
Could you please share the error messages you got.
Copy link to clipboard
Copied
Sorry, my mistake.I accidently removed log4j.jar too. Now changed to 2.17 and running ok. CF2021 in a Vbox Ubuntu 20.04 LTS test machine with:
log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-to-slf4j-2.17.0.jar
No errors or warnings.
Did not do this on the production machine yet though.
Copy link to clipboard
Copied
@Priyank Shrivastava. What is happening with extra DoS vulnerability in log4j 2.16? THis has now been updated to 2.17.
By @w49369461
Yes, indeed. Even the new log4j 2.16 has been found to be vulnerable. It could enable an attacker to generate infinite recursive lookups, leading to a denial of service.
https://logging.apache.org/log4j/2.x/
Let's wait for Adobe's solution. In the meantime, I think the JVM flag,
-Dlog4j2.formatMsgNoLookups=true
remains an effective preventive measure even against this new vulnerability. Unless, of course, your application requires lookups.
Copy link to clipboard
Copied
Hi All,
We are looking into this and I will update the thread with more details.
Copy link to clipboard
Copied
Hi Priyank.
After we apply CF 2018 hotfix 13, we still see log4j-1.2.15.jar in the <cfinstance>/lib directory. When we try to remove it, we get 500 errors. Will this file be patched or removed? I am being told this is still a vulnerabilty.
Thank you,
Jeff
Copy link to clipboard
Copied
Hi Jeff,
In one of the comments, I clarified that log4j-1.2.15.jar is not vulnerable anymore. We have patched it and it is safe to use.
I understand that it will flag by your scanner, however, with update 3 it is secure.
Also, CF is not impacted by the recent CVE that was fixed in 2.17, however, you can still update the CORE jar to 2.17.
Copy link to clipboard
Copied
[deleted]
Copy link to clipboard
Copied
Also, CF is not impacted by the recent CVE that was fixed in 2.17, ...
By @Priyank Shrivastava.
Hi Priyank,
I beg to disagree. If Log4j v2.16 is susceptible to a denial-of-service vulnerability and ColdFusion is equipped with Log4j v2.16, then ColdFusion will likewise be susceptible.
Copy link to clipboard
Copied
Hi @BKBK
I was also not convinced however, we did analyze it and I am sharing the details based on the team's comment.
Copy link to clipboard
Copied
Also, we are asking users to upgrade the CORE library to 2.17. We will share more details in our article.
Copy link to clipboard
Copied
I have updated manually to 2.17 both Core and API and there appears to be no issues.
Copy link to clipboard
Copied
Same with production machine now and seems to run just fine. CF2021 Standard, Ubuntu 20.04 Server LTS with:
log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-to-slf4j-2.17.0.jar
Copy link to clipboard
Copied
Hi All,
We have released an article with updated jar 2.17 which you can replace in your server. Here I am sharing the article, please follow it and let me know in case of any issue.
https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html
Copy link to clipboard
Copied
It is wonderful that you guys are following and updating these vulnerabilities as they come up. Kudos for that! Thank you. However, it seems the only place these are being socialized is within the comments of this blog post. These should also be posted to Adobe's Product Security Incident Response Team page I would think. I see no mention of any of this there. https://helpx.adobe.com/security.html#coldfusion
I do see that the larger updates (2021 update 3 and 2018 update 13) are posted to the usual ColdFusion updates page. So that's good. But now you have another "patch" to be applied after the latest updates and I see no mention of that anywhere but here in the comments.
Please update the Adobe site as well with this information for people to find when they look for ColdFusion updates in the future. The update process with ColdFusion is unnecessarily difficult because we have to look in so many different places to find out what to do.
Copy link to clipboard
Copied
It would also be nice if these security updates would be able to be released without being cumulative.
Updating to these hotfixes has required a number of emails to Adobe to get hotfixes for known issues that we cannot test against due to the urgency.