Log4j vulnerability and Adobe CC

I wanted to reach out to you to find out if Adobe has any vulnerabilities relating to Log4j?  If so what steps need to be taken to fix these?

Do we have any updates on the patches, looking for assistance.

Thanks.

Any word on the cloud services provided by adobe?

log4j is usually bundled with everything Java-powered these days. You'll find the module embedded on desktop applications as well, not just server apps.

Would be great to have an official response

The question of the day is what non-server applications are affected if any. I suspect none but it would be nice to know for sure.

Which is exactly the type of question you should contact your dedicated Customer Success Manager (CSM), Technical Account Manager (TAM), or contact us directly at https://helpx.adobe.com/contact.html?rghtup=autoOpen so that any specific questions can be addressed, Lumigraphics.

Hi Jeff, thank you for your reply. 
It would be good to have a website that lists all affected Adobe programs and services, whether they are affected or not, and what mitigation steps can be taken.
This would save both Adobe support staff and customers time.

At this point, several days after the exploit was shared, assume any vendor that won't give a direct answer is still figuring it out themselves. Best we can do is protect the perimeter. I know they are working on it.

Hi Jeff, thank you for the update. That's exactly what I meant.

Tenable vulnerability scanner sees log4j-1.2.14.jar hidden inside the LiveCycle directory in CC version 5.6.5.58 (February 2021). Is there a patch available for this vulnerable version of log4j in the newest version of Adobe Creative Cloud? The website you posted has no listing for LiveCycle vulnerability status. Details below...

-----------------------------------------------------------------------------------------------------------

PS C:\Program Files (x86)\Adobe\Adobe LiveCycle Designer ES4\Java\Libs> ls

Directory: C:\Program Files (x86)\Adobe\Adobe LiveCycle Designer ES4\Java\Libs

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/3/2013 5:55 AM 1909418 adobe-xfa-3.1.0.jar
-a---- 3/3/2013 5:55 AM 531557 collections-generic-4.01.jar
-a---- 3/3/2013 5:55 AM 5135118 com.adobe.model.core.jar
-a---- 3/3/2013 5:55 AM 313359 dom4j-1.6.jar
-a---- 3/3/2013 5:55 AM 19771 fmltoxsdgenerator.jar
-a---- 3/3/2013 5:55 AM 807736 freemarker-2.3.9.jar
-a---- 3/3/2013 5:55 AM 244330 jaxen-1.1-beta-6.jar
-a---- 3/3/2013 5:55 AM 367444 log4j-1.2.14.jar

LiveCycle Designer is not included with any current Acrobat or Creative Cloud product. LiveCycle as a freestanding product reached end of life in 2018. 

So far, Adobe wants you to contact support directly instead of just posting a list of software.

Lumigraphics is correct; please bookmark https://helpx.adobe.com/security/products/log4j-2-advisory.html to be kept up to date regarding the Log4j vulnerability.

If you have additional questions that https://helpx.adobe.com/security/products/log4j-2-advisory.html does not currently answer, please follow the guidance at the bottom of the document and contact us directly.

Deleted.

Please see: https://helpx.adobe.com/security/products/log4j.html