Mitigating Log4j2 vulnerabilities for Experience Manager Forms

Issue

Critical security vulnerabilities have been reported for Apache Log4j2, a popular logging library for Java-based applications. The following vulnerabilities have been analyzed:

Vulnerability What's impacted What's not impacted? Status
CVE-2021-44228
  • Experience Manager 6.5 Forms on JEE (all versions from 6.5 GA to 6.5.11)
  • Experience Manager 6.4 Forms on JEE (all versions from 6.4 GA to 6.4.8)
  • Experience Manager 6.3 Forms on JEE (all versions from 6.3 GA to 6.3.3)
  • Experience Manager 6.5 Forms Designer
  • Experience Manager 6.4 Forms Designer
  • Automated Forms Conversion Service
  • Experience Manager Forms Workbench (all versions)
  • Experience Manager Forms on OSGi (all versions)
These have been fixed. See, the Resolution section for fixes and mitigation steps.
CVE-2021-45046
CVE-2021-45105 No impact on any Experience Manager Forms release for out of the box logging configurations. If you have any additional logging configurations, check these configurations for these vulnerabilities.  

 
CVE-2021-44832
CVE-2021-4104  
CVE-2022-22963  
CVE-2022-22965  
CVE-2020-9488  
CVE-2022-23302  

 

Note:

AEM 6.5.13.0 Forms and earlier releases includes both Log4j libraries (1.x and 2.17.1). The AEM Forms Log4j 1.x libraries in AEM 6.5.13.0 Forms and earlier releases are not part of the vulnerability reported nor are they noted as vulnerable in AEM Forms code scans performed by Adobe. However, all Log4j 1.x library are removed in the 6.5.14 release. For instructions to install AEM 6.5.14.0 or a later release, see release notes.

Resolution

You can use one of the following methods to mitigate the risk of this vulnerability:

  • Install the latest service pack
  • Use manual mitigation steps  

Install the latest service pack

Caution:

If you have applied a hotfix on the Experience Manager Forms Service Pack 6.3.3.8 or Experience Manager Forms Service Pack 6.4.8.4 environment, do not install the service pack with the vulnerabilities fixes (listed below). Installing these service packs may overwrite the hotfix. Adobe recommends using manual mitigation steps in such a scenario.

Release Version   Download link/User action
Experience Manager 6.5 Forms on JEE AEMForms-6.5.0-0038 (log4jv2.16)
Download from Software Distribution.

 

 

Experience Manager 6.4 Forms on JEE   AEMForms-6.4.0-0027
Experience Manager 6.3 Forms on JEE 
AEMForms-6.3.0-0047
Experience Manager 6.5 Forms Designer AEM Forms Designer v650.019
Experience Manager 6.4 Forms Designer AEM Forms Designer v640.012
Automated Forms Conversion Service The mitigation steps were identified and the service was patched. There is no user action.

Use manual mitigation steps

To mitigate the issue, for Experience Manager 6.5 Forms (log4j-core version 2.10 and later), Experience Manager 6.4 Forms (log4j-core version earlier than 2.10), and Experience Manager 6.3 Forms (log4j-core version earlier than 2.10), perform the following steps: 

1. Shut down all the server instances and locators.

2. Remove org/apache/logging/log4j/core/lookup/JndiLookup.class from the vulnerable log4j-core-2.xx.jar available at the following locations:

  • Deployable EAR: <FORMS_INSTALLATION_DIRECTORY>/configurationManager/export/adobe-livecycle-[jboss|weblogic|websphere].ear
  • GemFire or Geode locator: 
    <FORMS_INSTALLATION_DIRECTORY>/lib/caching/lib
To update Deployable EAR, depending on your operating system, you can use one of the following methods to remove the JndiLookup.class from the vulnerable log4j-core-2.xx.jar:
  • (Linux with Oracle WebLogic or Redhat JBoss): Run the following command. Update the <version> and application server information before running these commands:
    • unzip adobe-livecycle-<weblogic|jboss>.ear lib/log4j-core-<version>.jar
    • zip -d lib/log4j-core-xxx.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    • zip -ru adobe-livecycle-jboss.ear lib/log4j-core-<version>.jar
  • (Linux with IBM WebSphere): Run the following command. Update the <version> and application server information before running these commands:
    • unzip adobe-livecycle-websphere.ear log4j-core-<version>.jar
    • zip -d log4j-core-xxx.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • (Microsoft Windows): Use a GUI tool like 7-Zip to remove the class file.  

3. Repeat step 2 for each application server instance (node) and all locators (if more than one). 

4. After updating the jar, redeploy the modified EAR and restart all locator processes and server instances.

Note:
  • Replace the original copy of the log4j-core-2.xx jar with the updated copy. No other changes are required.
  • When the configuration manager is run again, contents of <FORMS_INSTALLATION_DIRECTORY
    >/configurationManager/export
    can be overwritten.   To avoid redoing the above change each time this happens, update the jar in <FORMS_INSTALLATION_DIRECTORY>/deploy/adobe-core-[jboss|weblogic|websphere].ear. This ensures that the adobe-livecycle-[jboss|weblogic|websphere].ear produced by configuration manager already has the updated log4j-core-2.xx jar.
  • Manual modifications to deployable artifacts can be overwritten on patching/upgrade. If this happens, reapply the procedure. 

References

Who should I contact if I have additional questions or any issues in performing mitigation steps?

You can contact Adobe Support or raise a support ticket.

Who should I contact if I have additional questions or any issues in performing mitigation steps?

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online