cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
gualtiero sappa

New Here

New Here

Activity

Re: zero-day exploit affecting the popular Apache ...

by in ColdFusion Discussions
‎Dec 14, 2021 03:53 AM
6 Upvotes
‎Dec 14, 2021 03:53 AM
6 Upvotes
Hi all, we contacted Adobe Product Security and Incident Response and received this reply:   Adobe is investigating potential impact and taking action, including updating affected systems to the latest versions of Apache log4j 2 recommended by the Apache Software Foundation.   The investigation is ongoing but, to date, Adobe has discovered no indication to suggest customer data has been impacted as a result of this issue. ColdFusion plans to release a patch (version(s) 2021 & 2018) for this log4j vulnerability to customers on 12/17/2021.  In the meantime, we recommend ColdFusion customers apply the following workarounds/mitigations steps until this patch has been released:   Workaround/Mitigation steps: CF2021: CF 2021 ships with log4j 2.13.3 and 1.2 versions. The former is impacted by this vulnerability while the latter is not.  Steps: Stop the server Navigate to <cf_root>\<Instance_name>\bin directory Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section and save If using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9)  is found, remove the JndiLookup class from the classpath like below otherwise skip this step. If the operating systems is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number you found in the folder. If the operating systems is non-windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class". X is the version number you found in the folder. 5. Start the Instance 6. Repeat this for all the instances.   CF2018: CF 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability while the latter (i.e., v1.2) is not impacted.  Steps: Stop the server Navigate to <cf_root>\<Instance_name>\bin directory Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section and save. Navigate to <cf_root >>\<Instance_name>\lib directory.  If you find log4j-core-2.9.0.jar, move the file to a temporary location Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class removed from here If using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath like below otherwise skip this step If the operating systems is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number you found in the folder. If the operating systems is non-windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class ". X is the version number you found in the folder. 8. Start the Instance 9. You can now delete log4j-core-2.9.0.jar from the temporary location 10. Repeat this for all the instances.   PMT 2021: PMT 2021 ships with log4j 2.11.1 and log4j 2.3. Both versions are impacted.  Steps: Stop the PMT and datastore services Navigate to <PMT_Home>\datastore\config directory Open jvm.options file, add -Dlog4j2.formatMsgNoLookups=true argument in #log4j2 section and save. Navigate to <PMT_Home>\lib directory.  Move the file log4j-core-2.3.jar to a temporary location Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed from here Start the datastore and PMT services You can now delete log4j-core-2.3.jar from the temporary location   PMT 2018: PMT 2018 ships with log4j 2.9.1 and log4j 2.3. Both versions are impacted.  Steps: Stop the PMT and datastore services Navigate to <PMT_Home>\datastore\lib directory Move the file log4j-core-2.9.1.jar to a temporary location Copy the patched log4j-core-2.9.1.jar file with JNDILookUp class removed from here Navigate to <PMT_Home>\lib directory  Move the file log4j-core-2.3.jar to a temporary location Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed from here Start the datastore and PMT services You can now delete log4j-core-2.3.jar and log4j-core-2.9.1 from the temporary location    APIM 2021 and APIM 2018: APIM 2021 and 2018 ship with log4j 2.3. This version is impacted. Steps: Stop the APIM server (<APIM_Home>\bin) and Analytics (<APIM_Home>database\analytics\bin) service. Navigate to <APIM_Home>\lib directory.  Move the file log4j-core-2.3.jar to a temporary location Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed from here Start the Analytics service and the APIM server. You can now delete log4j-core-2.3.jar from the temporary location Note – For more information, we recommend users to refer to the below post made by Pete Freitag on the log4j issue: https://www.petefreitag.com/item/923.cfm ... View more
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices