Mitigating Log4j2 vulnerabilities for Experience Manager Forms
Critical security vulnerabilities have been reported for Apache Log4j2, a popular logging library for Java-based applications. The following vulnerabilities have been analyzed:
|Vulnerability||What's impacted||What's not impacted?||Status|
||These have been fixed. See, the Resolution section for fixes and mitigation steps.
|CVE-2021-45105||No impact on any Experience Manager Forms release for out of the box logging configurations. If you have any additional logging configurations, check these configurations for these vulnerabilities.
AEM 18.104.22.168 Forms and earlier releases includes both Log4j libraries (1.x and 2.17.1). The AEM Forms Log4j 1.x libraries in AEM 22.214.171.124 Forms and earlier releases are not part of the vulnerability reported nor are they noted as vulnerable in AEM Forms code scans performed by Adobe. However, all Log4j 1.x library are removed in the 6.5.14 release. For instructions to install AEM 126.96.36.199 or a later release, see release notes.
You can use one of the following methods to mitigate the risk of this vulnerability:
- Install the latest service pack
- Use manual mitigation steps
Install the latest service pack
If you have applied a hotfix on the Experience Manager Forms Service Pack 188.8.131.52 or Experience Manager Forms Service Pack 184.108.40.206 environment, do not install the service pack with the vulnerabilities fixes (listed below). Installing these service packs may overwrite the hotfix. Adobe recommends using manual mitigation steps in such a scenario.
|Release||Version||Download link/User action|
|Experience Manager 6.5 Forms on JEE||AEMForms-6.5.0-0038 (log4jv2.16)
||Download from Software Distribution.
|Experience Manager 6.4 Forms on JEE||AEMForms-6.4.0-0027|
|Experience Manager 6.3 Forms on JEE
|Experience Manager 6.5 Forms Designer||AEM Forms Designer v650.019|
|Experience Manager 6.4 Forms Designer||AEM Forms Designer v640.012|
|Automated Forms Conversion Service||The mitigation steps were identified and the service was patched.||There is no user action.|
Use manual mitigation steps
To mitigate the issue, for Experience Manager 6.5 Forms (log4j-core version 2.10 and later), Experience Manager 6.4 Forms (log4j-core version earlier than 2.10), and Experience Manager 6.3 Forms (log4j-core version earlier than 2.10), perform the following steps:
1. Shut down all the server instances and locators.
2. Remove org/apache/logging/log4j/core/lookup/JndiLookup.class from the vulnerable log4j-core-2.xx.jar available at the following locations:
- Deployable EAR: <FORMS_INSTALLATION_DIRECTORY>/configurationManager/export/adobe-livecycle-[jboss|weblogic|websphere].ear
- GemFire or Geode locator:
- (Linux with Oracle WebLogic or Redhat JBoss): Run the following command. Update the <version> and application server information before running these commands:
- unzip adobe-livecycle-<weblogic|jboss>.ear lib/log4j-core-<version>.jar
- zip -d lib/log4j-core-xxx.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- zip -ru adobe-livecycle-jboss.ear lib/log4j-core-<version>.jar
- (Linux with IBM WebSphere): Run the following command. Update the <version> and application server information before running these commands:
- unzip adobe-livecycle-websphere.ear log4j-core-<version>.jar
- zip -d log4j-core-xxx.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- (Microsoft Windows): Use a GUI tool like 7-Zip to remove the class file.
3. Repeat step 2 for each application server instance (node) and all locators (if more than one).
4. After updating the jar, redeploy the modified EAR and restart all locator processes and server instances.
- Replace the original copy of the log4j-core-2.xx jar with the updated copy. No other changes are required.
- When the configuration manager is run again, contents of <FORMS_INSTALLATION_DIRECTORY
>/configurationManager/export can be overwritten. To avoid redoing the above change each time this happens, update the jar in <FORMS_INSTALLATION_DIRECTORY>/deploy/adobe-core-[jboss|weblogic|websphere].ear. This ensures that the adobe-livecycle-[jboss|weblogic|websphere].ear produced by configuration manager already has the updated log4j-core-2.xx jar.
- Manual modifications to deployable artifacts can be overwritten on patching/upgrade. If this happens, reapply the procedure.