Log4j 2.17.0 vulnerability on ColdFusion

Remarque :

Apply the steps in this tech-note after installing the latest updates 2018 (Update 13) and 2021 (Update 3) that were released on 17 Dec 2021

Overview

On December 9th, 2021, an industry-wide issue was reported in Apache log4j 2 (CVE-2021-44228) that adversaries could perform a Remote Code Execution (RCE). This led to unauthorized access to host systems. An updated version (v2.15.0) that addressed this issue was provided by the Apache Software Foundation.

On December 14, 2021, an issue was reported in Apache log4j 2 v2.15.0 (CVE-2021-45046) that could make certain non-default configurations using JNDI features susceptible to exploitation by adversaries to achieve Remote Code Execution (RCE). Host systems that applied v2.15.0 also were susceptible to denial-of-service (DoS attacks). The Apache Software Foundation had released version (v2.16.0) to remedy this specific issue.

Adobe released updates for 2018 (Update 13) and 2021 (Update 3) to address these vulnerabilities on 17 Dec, 2021.

On 18th Dec 2021, another issue was reported in Apache log4j 2 v2.16.0(CVE-2021-45105), which did not protect from uncontrolled recursion from self-referential lookups. This allowed an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0.

Adobe published the mitigation steps to address these vulnerabilities on 21 Dec, 2021.

On 28th Dec 2021, an issue was reported in Apache log4j 2 v2.17.0  (CVE-2021-44832), that was vulnerable to a remote code execution (RCE) attack. This happened when a configuration used a JDBC Appender with a JNDI LDAP data source URI, when an attacker has control of the target LDAP server. Apache addressed by releasing a newer version of Log4j (2.17.1) by limiting JNDI data source names to the java protocol. 

Even though Adobe ColdFusion uses this library, we did not find any exploitable attack vector or mechanism with Adobe ColdFusion.

As a best practice, we recommend that you upgrade the Log4j2 libraries to version 2.17.1.

Note: The zip packages all the updated jars for ColdFusion, Performance Monitoring Toolset, and API Manager.

ColdFusion (2021 release) and (2018 release)

  1. Stop the ColdFusion instance.

  2. Navigate to the directory <cf_root>\<cf_instance>\lib.

    Remove the following jars:

    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-to-slf4j-2.16.0.jar

    and replace them with the following jars bundled in this zip file, log4j2.17.1 (Checksum: bd9d63d6fd90a4ffc3396b33110dc75d).

    • log4j-core-2.17.1.jar,
    • log4j-api-2.17.1.jar
    • log4j-to-slf4j-2.17.1.jar
  3. Restart the ColdFusion instance.

  4. Repeat the procedure for all other ColdFusion instances. 

Performance Monitoring Toolset 2021 and 2018

  1. Apply the latest Performance Monitoring Toolset updates:

  2. Stop the Performance Monitoring Toolset and datastore services.

  3. Navigate to the directory <PMT_Home>\lib

  4. Remove the following jars:

    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar

    and replace them with the following jars bundled in this zip file, log4j2.17.1 (Checksum: bd9d63d6fd90a4ffc3396b33110dc75d).

    • log4j-core-2.17.1.jar,
    • log4j-api-2.17.1.jar
  5. Navigate to the directory <PMT_Home>\datastore\lib.

  6. Remove the following jars:

    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-1.2-api-2.16.0.jar

    and replace them with the following jars bundled in this zip file, log4j2.17.1 (Checksum: bd9d63d6fd90a4ffc3396b33110dc75d).

    • log4j-core-2.17.1.jar
    • log4j-api-2.17.1.jar
    • log4j-1.2-api-2.17.1.jar
  7. Restart the Performance Monitoring Toolset and datastore services. 

API Manager 2021, 2018, and 2016

  1. To apply the latest update, follow the instructions in ColdFusion API Manager updates.

  2. Stop the API Manager server.

  3. Navigate to the directory <APIM_Home>\lib.

  4. Remove the following jars:

    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-slf4j-2.16.0.jar
    • log4j-jul-2.16.0.jar

    and replace them with the following jars bundled in this zip file, log4j2.17.1 (Checksum: bd9d63d6fd90a4ffc3396b33110dc75d).

    • log4j-core-2.17.1.jar,
    • log4j-api-2.17.1.jar
    • log4j-slf4j-impl-2.17.1.jar
    • log4j-jul-2.17.1.jar
  5. Restart API Manager.

Logo Adobe

Accéder à votre compte