zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

Explorer ,
Dec 10, 2021 Dec 10, 2021

Copy link to clipboard

Copied

Does anyone know if the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) that was announced on 12/9/2021 will affect ColdFusion version 10 and 2018?

Views

34.9K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Dec 14, 2021 Dec 14, 2021
Hi Everyone, We had originally published (on Dec 14) some workaround/mitigation steps in this article until the patch would be released. Since then, there have been updates and still further updates. Dec 14: Technote with initial mitigations offered: https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html Update Dec 17: Updates for CF2021 and 2018 were released, addressing this log4j vulnerability. The technote mentioned above was a preliminary response, offered on Dec 14....

Likes

Translate

Translate
replies 188 Replies 188
Adobe Community Professional ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

 

 

Or should one wait till Friday...?


By @aarnir71156744

 

No. The description, zero-day, signals to you how much time you have to fix the problem: 0 days.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

For Folks reading this as of  Wednesday 12 pm ET Dec 15 2021, As per the Adobe link https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

 

Can you please be specific with instructions because it has definitely caused some confusion on the steps to perform. I will give example

 

  1.  The link https://cfdownload.adobe.com/pub/adobe/coldfusion/logshell/2.9.0/log4j-core-2.9.0.jar earlier was downloading a file named log4j-core-2.9.0-logshell.jar (as of yesterday Dec 14 2021 ). I renamed it myself by removing -logshell from the file log4j-core-2.9.0.jar .Looks like Adobe has fixed that since then. I downloaded file today Dec 15 2021 and its named correctly log4j-core-2.9.0.jar . Can someone from Adobe post notes at top of the page https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html with last updated date time and also what typos/wrong file name have been fixed so people coming to your link know they are looking at latest information.
  2.  Instruction for ColdFusion 2018. ColdFusion 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted. So you are saying both log4j 2.13.3 and/or 2.9.0 are impacted but the file provided to download is log4j-core-2.9.0.jar. Question : Should we remove/update both of these  log4j 2.13.3 and/or 2.9.0 from ColdFusion 2018 or just log4j-core-2.9.0.jar? I found log4j-core-2.9.0.jar in ColdFusion2018\CF_Instance\hf-updates\hf-2018-00011-326016\backup\lib and thats the only one we replaced even though its part of hf-updates backup folder. So what is the deal with log4j 2.13.3 ? Are we supposed to leave it like that? Please clarify ASAP.

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

The 2.16 version will work also

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

Did anyone run into an issue with the CF Admin page after applying the fix?

 

I applied the fix and everything appears to be running ok, but when I try to launch the CF admin page I get this message. 

 

The web site you are accessing has experienced an unexpected error.
Please contact the website administrator.


The following information is meant for the website developer for debugging purposes.
Error Occurred While Processing Request

The Monitoring service is not available.

This exception is usually caused by service startup failure. Check your server configuration.
 
The error occurred in Application.cfm: line 114
Called from Application.cfm: line 4
Called from Application.cfm: line 1
-1 : Unable to display error's location in a CFML template.

Resources:

 

Browser  Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Remote Address  127.0.0.1
Referrer   
Date/Time  15-Dec-21 05:07 PM
Stack Trace
at cfApplication2ecfm1524830424._factor3(/CFIDE/administrator/Application.cfm:114) at cfApplication2ecfm1524830424._factor11(/CFIDE/administrator/Application.cfm:4) at cfApplication2ecfm1524830424.runPage(/CFIDE/administrator/Application.cfm:1)

coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Monitoring service is not available.

	at coldfusion.server.ServiceFactory.getMonitoringService(ServiceFactory.java:227)

	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

	at java.base/java.lang.reflect.Method.invoke(Method.java:566)

	at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:101)

	at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3627)

	at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3604)

	at cfApplication2ecfm1524830424._factor3(/CFIDE/administrator/Application.cfm:114)

	at cfApplication2ecfm1524830424._factor11(/CFIDE/administrator/Application.cfm:4)

	at cfApplication2ecfm1524830424.runPage(/CFIDE/administrator/Application.cfm:1)

	at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:262)

	at coldfusion.tagext.lang.IncludeTag.handlePageInvoke(IncludeTag.java:735)

	at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:565)

	at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)

	at coldfusion.filter.CfincludeFilter.include(CfincludeFilter.java:33)

	at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:471)

	at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43)

	at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)

	at coldfusion.filter.PathFilter.invoke(PathFilter.java:162)

	at coldfusion.filter.IpFilter.invoke(IpFilter.java:45)

	at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:96)

	at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:78)

	at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)

	at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)

	at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60)

	at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)

	at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)

	at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)

	at coldfusion.CfmServlet.service(CfmServlet.java:226)

	at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:228)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46)

	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at coldfusion.filter.ClickjackingProtectionFilter.doFilter(ClickjackingProtectionFilter.java:75)

	at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:190)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:163)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:373)

	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)

	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)

	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1723)

	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

	at java.base/java.lang.Thread.run(Thread.java:834)

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

When I added the wrong jar I was getting a 500 error, but it was for the admin and the site.  Did you have the correct jars? Many are named very similarly.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

Hello,

We applied the mitigation until the patch is released. In doing so, it broke our SSO integration.

what we did:

-Dlog4j2.formatMsgNoLookups=true to Jvm.config

the error we get when the saml request is initialized 

"The system has attempted to use a undefined value, which usually indicates a programming error...."

 

removing the mitigation makes it work  - 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 15, 2021 Dec 15, 2021

Copy link to clipboard

Copied

Just a follow up question on this. When the sso broke it wasn't around the time that the AWS outage was occuring. Because ours broke with strange error messages around then and the underlying cause was our MFA provider went down with the outage 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

quote

Hello,

We applied the mitigation until the patch is released. In doing so, it broke our SSO integration.

what we did:

-Dlog4j2.formatMsgNoLookups=true to Jvm.config

the error we get when the saml request is initialized 

"The system has attempted to use a undefined value, which usually indicates a programming error...."

 

removing the mitigation makes it work  - 

 


By @Pete220652393l9r

 

Either

(1) you made an error when changing the JVM settings;

or

(2) that was just coincidendence, and the error is referring to something else.

 

In any case, you may ignore the JVM flag, and solve the problem by replacing the Log4J jars. The latter method has been discussed exhaustively in this thread.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

Can someone at Adobe please reach out and tell us what the 2.x versions of log4j are used for? I have contacted every support group I can and am getting nothing we are week out and I feel like adobe has just abandoned this thread since they put out the remediation steps.

 

Most of the jar files I can find in the ColdFusion application files are referencing log4j 1.x. Some information about how ColdFusion might be affected would be seriously benefecial to admins. I even think the verbiage changed on the https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html page and no longer includes the "Adobe has discovered no indication to suggest custom data has been impacted as a result of this issue". 

 

Which if it has, is very concerning, and we need to get clear information as to the extent that we were vulnerable.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

Yes this.
We need to know if there was a window of reasonable vulnerability at any point.
This is essential also from a compliancy angle!

It's been a week and I still can't tell anyone more then that we've remediated the issue in our expensively licensed webserver.
There's no patch. And there's no info to the extend coldfusion was vulnerable to begin with.


Guys over at LUCEE had this cleared up the day it was discovered, just saying.

 

@neochad I don't think the sentence about adobe not having found a exploitable problem was ever actually on that support page. It's  a service desk reply someone got that should be somewhere in the comments here. 
Not that that's in any way relevant to the point at hand, but just saying.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

You could very well be right, I may have transposed that in the flurry of responses that have been floating around.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

FYI in regards to version 2.15, I just received this notice from our datacenter provider:

 

"... an additional vulnerability has been identified in the previously released fix for CVE-2021-44228. This new vulnerability impacts Apache Log4j 2.15.0 and has been identified as CVE-2021-45046. If exploited, this vulnerability could result in a denial of service (DOS) attack. This vulnerability has been addressed in Log4j version 2.16.0."

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

quote

FYI in regards to version 2.15, I just received this notice from our datacenter provider:

 

"... an additional vulnerability has been identified in the previously released fix for CVE-2021-44228. This new vulnerability impacts Apache Log4j 2.15.0 and has been identified as CVE-2021-45046. If exploited, this vulnerability could result in a denial of service (DOS) attack. This vulnerability has been addressed in Log4j version 2.16.0."


By @paule12345

 

Which doesn't surprise me. I think it's best to implement solutions as soon as they come along. So, you should move from 2.15 to 2.16 right away. After all, you have 0 days to act. 🙂

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

From my infosec team the new CVE on 2.15.0 is not as bad as the one it fixed and is not a 0 day.
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Its severity base score is 3.7.where https://nvd.nist.gov/vuln/detail/CVE-2021-44228 was scored as a 10 on 10.

 

Disclaimer, everyone is different and all depends on your configuration, setup, and usage of  coldfusion.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

Hi All,

 

We have released securiy update, please update your servers even if you have followed the mitigation steps. You need to reapply any private patch that you received from us ex. QoQ as this is purely the security update.

 

https://helpx.adobe.com/coldfusion/kb/coldfusion-api-manager-updates.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-3.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-performance-monitoring-toolset-update-3.html
https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-13.html

 

Please let us know in case of any query.

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

I don't see real information about what it is changing or how to confirm.  The links on the 2018 page all seem to point to old FAQs and previous updates.  Am I missing something?  Blind faith that it is all good?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

@Ripley Casdorph Usually we have the Security Bulletin available for the update. This time we have released an update and mentioned everything in our article. 

 

This is an official Adobe ColdFusion update and you can trust us. We have checked everything to secure the server. 

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

Hi Priyank

 

Thanks for releasing the patch.  I can see that it added log4j 2.16 libraries in cfusion/lib but it left my patched log4j 2.15 libraries there too so I will remove those so only the latest version remain.

 

Are there any plans to upgrade the log4j 1.2 libraries to log4j 2.x?  A scan has identified these in cf-logging.jar.  Our organizational IT security guidance is that we must migrate all log4j 1.2 to log4j 2.x or will need to shut down services because of previously logged CVE vulnerabilities in log4j 1.2 and because log 4j 1.2 is no longer actively maintained.  

 

Thanks for your help

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

@EvanSinceCF31 

 

I was expecting this question and thanks that you asked. For Log4j1.2 libraries, we have received the tickets and we have made changes to the version which is with update and I can assure that it is not vulnerable. The scanner will flag it because of the version however, we have mitigated the security issue from this library. 

 

We will be upgrading the library in future update. At this moment, that is maximum information, I can share with you. 

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

Thanks Priyank, I appreciate the quick reply. 

I could see the SocketServer.class was removed from cf-logging.jar which should mitigate the risk. I have some test scripts I can use to illustrate this to our security team. 

I'll pass your response back to our security team. Hopefully coming from Adobe they will agree this is an acceptable action until a more complete migration from log4j 1.2 can be completed.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

Correct me if I am wrong, but I thought log4j 1.x was vulnerable when using the JMSAppender, I didn't see that class pre or post Update 13, but I did see those SocketServer.class removed in the Update 13 version. 

 

Was SocketServer.class another potential for Log4Shell or was that just being cautious? 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

@neochad Unfortunetly, I cannot share much details here. You can check the CVE listed in our article and find the details there. 

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

A picture of the log4j vulnerability:

 

log4j-vulnerability-govcertch-666x450.jpg

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

The patch notes indicate that this is a cumulative patch:  "The updates below are cumulative and contain all updates from previous ones." Is there a discrete patch available to address just the specific vulnerability? If someone has an issue with a particular update it seems there is no opportunity to avoid the prior update when applying update 13.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

Hi @John22299327at42 


Currently, we don't have that mechanism and you have to apply the other updates and that cannot be skipped. However, we are discussing to make it separate so users can apply the security update without installing the bug fixes. 

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines