Critical Vulnerabilities in Apache Log4j Java Library
On December 9th, 2021, an industry-wide issue was reported in Apache log4j 2 (CVE-2021-44228) that adversaries can use to achieve Remote Code Execution (RCE). This may lead to unauthorized access to host systems. An updated version (v2.15.0) that addresses this issue has been made available by the Apache Software Foundation.
On December 14, 2021, an issue was reported in Apache log4j 2 v2.15.0 (CVE-2021-45046) that can make certain non-default configurations using JNDI features also susceptible to exploitation by adversaries to achieve Remote Code Execution (RCE). Host systems that applied v2.15.0 may also be susceptible to denial-of-service (DoS attacks). The Apache Software Foundation has released version (v2.16.0) to remedy this specific issue.
As additional Apache patches are released, we will continue to evaluate and apply them as applicable to Adobe products.
We have reviewed the potential impact and are following the recommended guidance from the Apache Software Foundation. Our investigation has concluded and Adobe has not discovered any indication that customer data has been impacted.
For the table below:
“Mitigated” means that the product/service has successfully addressed the CVE.
“N/A (not applicable)” means that the product/service does not use the vulnerable Apache log4j 2 library.
Product |
CVE-2021-44228 |
CVE-2021-45046 |
Core Services |
||
Adobe I/O |
N/A |
N/A |
Adobe Identity Management Services (Adobe ID) |
Mitigated |
Mitigated |
Adobe Account Management | N/A |
N/A |
Adobe User Sync Tool |
N/A |
N/A |
Adobe Admin Console |
N/A | N/A |
Adobe Creative Cloud |
||
Adobe Creative Cloud Services (Libraries, Collaboration, Storage, Sync, Notifications, Web UI) |
Mitigated |
Mitigated |
Adobe Creative Cloud Desktop/Mobile apps |
N/A |
N/A |
Adobe Creative Cloud Mobile SDKs | N/A |
N/A |
Adobe Express |
N/A |
N/A |
Adobe Capture |
N/A |
N/A |
Adobe Color |
N/A |
N/A |
Adobe Fonts (TypeKit) | Mitigated | Mitigated |
Adobe Behance |
Mitigated |
Mitigated |
Frame.io by Adobe |
N/A |
N/A |
Adobe Portfolio |
N/A |
N/A |
Adobe UXP Developer Tool | N/A | N/A |
Adobe Bridge |
N/A |
N/A |
Adobe Media Encoder |
N/A |
N/A |
Adobe Dreamweaver |
N/A |
N/A |
Adobe Dimension |
N/A |
N/A |
Adobe InDesign |
N/A |
N/A |
Adobe InDesign Server |
N/A |
N/A |
Adobe InCopy |
N/A |
N/A |
Adobe Illustrator |
N/A |
N/A |
Adobe Photoshop |
N/A |
N/A |
Adobe Premiere Pro |
N/A |
N/A |
Adobe After Effects |
N/A |
N/A |
Adobe Prelude |
N/A |
N/A |
Adobe Premiere Rush |
N/A |
N/A |
Adobe Substance Source | N/A |
N/A |
Adobe Substance Painter |
N/A |
N/A |
Adobe Substance Designer | N/A |
N/A |
Adobe Substance Alchemist |
N/A |
N/A |
Adobe Aero (apps & services) | Mitigated |
Mitigated |
Adobe Animate |
N/A |
N/A |
Adobe Audition | N/A |
N/A |
Adobe Character Animator |
N/A |
N/A |
Adobe XD | N/A |
N/A |
Adobe Lightroom (Classic and CC) |
N/A |
N/A |
Adobe Fresco | N/A |
N/A |
Mixamo by Adobe |
Mitigated |
Mitigated |
Adobe FrameMaker | N/A |
N/A |
Adobe Stock |
Mitigated |
Mitigated |
Adobe Document Cloud | ||
Adobe Document/PDF Services (including APIs) |
Mitigated |
Mitigated |
Adobe Sign |
Mitigated |
Mitigated |
Adobe Acrobat DC | N/A |
N/A |
Adobe Experience Cloud |
||
Adobe Analytics |
Mitigated |
Mitigated |
Adobe Analytics Data Workbench | N/A | N/A |
Adobe Commerce (Magento) |
Mitigated |
Mitigated |
Adobe Customer Journey Analytics | Mitigated |
Mitigated |
Adobe Advertising Cloud | Mitigated | Mitigated |
Adobe Audience Manager |
Mitigated |
Mitigated |
Adobe Campaign Classic (hosted, hybrid, on premise) |
N/A |
N/A |
Adobe Campaign Standard | Mitigated |
Mitigated |
Adobe Journey Optimizer |
N/A | N/A |
Adobe Experience Manager as a Cloud Service |
Mitigated | Mitigated |
Adobe Experience Manager as a Managed Service | N/A |
N/A |
Adobe Experience Manager (on premise, v6.3 - v6.5) |
N/A | N/A |
Adobe Experience Manager Forms | Mitigated |
Mitigated |
Adobe Experience Manager Dynamic Media (Scene7) as a Cloud Service | Mitigated | Mitigated |
Adobe Experience Manager Dynamic Media (Scene7) as a Managed Service |
Mitigated | Mitigated |
Adobe Experience Manager Screens | N/A |
N/A |
Adobe Experience Manager Assets Brand Portal |
N/A |
N/A |
Adobe Experience Platform Core |
Mitigated |
Mitigated |
Adobe Experience Platform Data Foundation | Mitigated |
Mitigated |
Adobe Experience Platform Data Science Workspace |
Mitigated |
Mitigated |
Adobe Experience Platform Journey Orchestration | N/A |
N/A |
Adobe Experience Platform Offer Decisioning Service | N/A | N/A |
Adobe Experience Platform Query Service |
Mitigated |
Mitigated |
Adobe Experience Platform Activation | Mitigated |
Mitigated |
Adobe Experience Platform Tags (DTM/Launch) |
Mitigated |
Mitigated |
Adobe Real-time Customer Data Platform (CDP) | Mitigated |
Mitigated |
Adobe Marketo Engage |
Mitigated |
Mitigated |
Adobe Bizible | N/A |
N/A |
Adobe Target |
Mitigated | Mitigated |
Adobe Workfront | Mitigated |
Mitigated |
Other Products |
||
Adobe Captivate Prime | N/A |
N/A |
Adobe Update Server Setup Tool (AUSST) | N/A | N/A |
Adobe Remote Update Manager (RUM) | N/A | N/A |
Adobe Connect (hosted, Managed Services) | Mitigated | Mitigated |
Adobe Connect (on premise) | Mitigated |
Mitigated |
Adobe ColdFusion |
Mitigated |
Mitigated |
Adobe Photoshop Elements | N/A | N/A |
Adobe Premiere Elements | N/A | N/A |
Adobe Primetime | Mitigated | Mitigated |
Adobe RoboHelp (client/server) | N/A |
N/A |
Adobe Feature Restricted Licensing (FRL) LAN Server |
N/A |
N/A |
We are actively working with our third-party vendors to help ensure that they have mitigations in place.
If you have further questions, please reach out to your dedicated Customer Success Manager (CSM), Technical Account Manager (TAM) or Adobe Customer Care.
Revisions:
December 20, 2021: Added Photoshop Elements and Premiere Elements as "N/A"; corrected Adobe Experience Manager (on premise, v6.3 - v6.5) to "N/A".
December 21, 2021: Added Adobe Advertising Cloud as "Mitigated"; Added Adobe Experience Manager Dynamic Media (Scene 7) as a Managed Service as "Mitigated"; Added Adobe Experience Platform Offer Decisioning Service as "N/A"; Added Adobe Fonts (Typekit) as "Mitigated".
January 5, 2022: Added information for CVE-2021-45046; corrected Adobe Portfolio to "N/A".
January 11, 2022: Added Adobe Remote Update Manager (RUM) as "N/A"; Added Adobe Update Server Setup Tool (AUSST) as "N/A"; Updated note around investigation status.
February 2, 2022: Added Adobe UXP Developer Tool as "N/A".
July 1, 2022: Renamed Creative Cloud Express to Adobe Express and removed Adobe Spark as a duplicate