Copy link to clipboard
Copied
Hi,
Regarding the vulnerability CVE-2021-44228, I would like to know if the Adobe CC desktop app or any of the apps that can be installed with it make use of the vulnerable Log4j package.
If so, what steps do you recommend for mitigation?
Thank you very much for your help.
Thank you, everyone, for your interest and concern regarding the recently discovered Log4j vulnerability. For information on security issues related to the Apache Log4j 2 library and how it affects Adobe software and services, please bookmark and review https://helpx.adobe.com/security/products/log4j-2-advisory.html.
This is a developing situation, so please follow the guidance at the bottom and contact your dedicated Customer Success Manager (CSM), Technical Account Manager (TAM), or contact
...Copy link to clipboard
Copied
+1
I'm also looking for more information this for Desktop cilents
Copy link to clipboard
Copied
Good day
Since there is no information posted on Adobe security center for this: https://helpx.adobe.com/security/Home.html
For CVE-2021-44228 - log4j vulnerability - does anyone know which products are affected; any fix ETA or in the interim workaround or suggestion to mitigate the risk? specifically is adobe acrobat or acrobat DC affected?
thank you
Copy link to clipboard
Copied
I wanted to reach out to you to find out if Adobe has any vulnerabilities relating to Log4j? If so what steps need to be taken to fix these?
Do we have any updates on the patches, looking for assistance.
Thanks.
Copy link to clipboard
Copied
We are looking for information regarding an Adobe response to the CVE-2021-44228 vunerability as well. Please advise.
Copy link to clipboard
Copied
As far as everyone is aware, no Adobe desktop applications are affected and likely no desktop apps from other vendors. This is an issue with a Java logging app typically run on servers, so many if not most service providers online will be affected.
Regular users are most at risk of having your personal data stolen or services taken offline.
Copy link to clipboard
Copied
Any word on the cloud services provided by adobe?
Copy link to clipboard
Copied
log4j is usually bundled with everything Java-powered these days. You'll find the module embedded on desktop applications as well, not just server apps.
Would be great to have an official response
Copy link to clipboard
Copied
Thank you, everyone, for your interest and concern regarding the recently discovered Log4j vulnerability. For information on security issues related to the Apache Log4j 2 library and how it affects Adobe software and services, please bookmark and review https://helpx.adobe.com/security/products/log4j-2-advisory.html.
This is a developing situation, so please follow the guidance at the bottom and contact your dedicated Customer Success Manager (CSM), Technical Account Manager (TAM), or contact us directly at https://helpx.adobe.com/contact.html?rghtup=autoOpen for any questions you may have.
Copy link to clipboard
Copied
The question of the day is what non-server applications are affected if any. I suspect none but it would be nice to know for sure.
Copy link to clipboard
Copied
Which is exactly the type of question you should contact your dedicated Customer Success Manager (CSM), Technical Account Manager (TAM), or contact us directly at https://helpx.adobe.com/contact.html?rghtup=autoOpen so that any specific questions can be addressed, Lumigraphics.
Copy link to clipboard
Copied
Hi Jeff, thank you for your reply.
It would be good to have a website that lists all affected Adobe programs and services, whether they are affected or not, and what mitigation steps can be taken.
This would save both Adobe support staff and customers time.
Copy link to clipboard
Copied
At this point, several days after the exploit was shared, assume any vendor that won't give a direct answer is still figuring it out themselves. Best we can do is protect the perimeter. I know they are working on it.
Copy link to clipboard
Copied
Hi Jeff, thank you for the update. That's exactly what I meant.
Copy link to clipboard
Copied
Tenable vulnerability scanner sees log4j-1.2.14.jar hidden inside the LiveCycle directory in CC version 5.6.5.58 (February 2021). Is there a patch available for this vulnerable version of log4j in the newest version of Adobe Creative Cloud? The website you posted has no listing for LiveCycle vulnerability status. Details below...
-----------------------------------------------------------------------------------------------------------
PS C:\Program Files (x86)\Adobe\Adobe LiveCycle Designer ES4\Java\Libs> ls
Directory: C:\Program Files (x86)\Adobe\Adobe LiveCycle Designer ES4\Java\Libs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2013 5:55 AM 1909418 adobe-xfa-3.1.0.jar
-a---- 3/3/2013 5:55 AM 531557 collections-generic-4.01.jar
-a---- 3/3/2013 5:55 AM 5135118 com.adobe.model.core.jar
-a---- 3/3/2013 5:55 AM 313359 dom4j-1.6.jar
-a---- 3/3/2013 5:55 AM 19771 fmltoxsdgenerator.jar
-a---- 3/3/2013 5:55 AM 807736 freemarker-2.3.9.jar
-a---- 3/3/2013 5:55 AM 244330 jaxen-1.1-beta-6.jar
-a---- 3/3/2013 5:55 AM 367444 log4j-1.2.14.jar
Copy link to clipboard
Copied
LiveCycle Designer is not included with any current Acrobat or Creative Cloud product. LiveCycle as a freestanding product reached end of life in 2018.
Copy link to clipboard
Copied
I wanted to reach out to you to find out if Adobe has any vulnerabilities relating to Log4j? If so what steps need to be taken to fix these?
Looking for if there are patches and assistance.
Copy link to clipboard
Copied
So far, Adobe wants you to contact support directly instead of just posting a list of software.
Copy link to clipboard
Copied
Lumigraphics is correct; please bookmark https://helpx.adobe.com/security/products/log4j-2-advisory.html to be kept up to date regarding the Log4j vulnerability.
If you have additional questions that https://helpx.adobe.com/security/products/log4j-2-advisory.html does not currently answer, please follow the guidance at the bottom of the document and contact us directly.
Copy link to clipboard
Copied
+1 "What is Adobe's assessment of the Log4j security vulnerability as applied to Acrobat Pro DC, Adobe Captivate, Creative Cloud All Apps, Illustrator, Photoshop"
The only answer I get from Support chat is a non-answer. "That information has not been shared with us"
Copy link to clipboard
Copied
Latest advisory for CVE-2021-44228 is here: https://helpx.adobe.com/security/products/log4j.html
Copy link to clipboard
Copied
Deleted.
Copy link to clipboard
Copied
Please, can you confirm if Adobe Creative Cloud are affected by the LOG4SHELL vulnerability (CVE-2021-44228) ?
Copy link to clipboard
Copied
Copy link to clipboard
Copied
Photoshop CS5.5 (v12.1) desktop version appears to use log4j in the service manager components. Will there be a patch for this older version ?