Critical security vulnerabilities have been reported for Apache Log4j2, a popular logging library for Java-based applications. The following vulnerabilities have been analyzed:
|Vulnerability||What's impacted||What's not impacted?||Status|
||These have been fixed. See, the Resolution section for fixes and mitigation steps.
|CVE-2021-45105||No impact on any Experience Manager Forms release.
|CVE-2021-4104 for log4j 1.x
You can use one of the following methods to mitigate the risk of this vulnerability:
Install the latest service pack
If you have applied a hotfix on the Experience Manager Forms Service Pack 126.96.36.199 or Experience Manager Forms Service Pack 188.8.131.52 environment, do not install the service pack with the vulnerabilities fixes (listed below). Installing these service packs may overwrite the hotfix. Adobe recommends using manual mitigation steps in such a scenario.
|Release||Version||Download link/User action|
|Experience Manager 6.5 Forms on JEE||AEMForms-6.5.0-0038 (log4jv2.16)
||Download from Software Distribution.
|Experience Manager 6.4 Forms on JEE||AEMForms-6.4.0-0027|
|Experience Manager 6.3 Forms on JEE
|Experience Manager 6.5 Forms Designer||AEM Forms Designer v650.019|
|Experience Manager 6.4 Forms Designer||AEM Forms Designer v640.012|
|Automated Forms Conversion Service||The mitigation steps were identified and the service was patched.||There is no user action.|
Use manual mitigation steps
To mitigate the issue, for Experience Manager 6.5 Forms (log4j-core version 2.10 and later), Experience Manager 6.4 Forms (log4j-core version earlier than 2.10), and Experience Manager 6.3 Forms (log4j-core version earlier than 2.10), perform the following steps:
1. Shut down all the server instances and locators.
2. Remove org/apache/logging/log4j/core/lookup/JndiLookup.class from the vulnerable log4j-core-2.xx.jar available at the following locations:
3. Repeat step 2 for each application server instance (node) and all locators (if more than one).
4. After updating the jar, redeploy the modified EAR and restart all locator processes and server instances.