Log4j 2.16 vulnerability on ColdFusion

註解:

Apply the steps in this tech-note after installing the latest updates 2018 (Update 13) and 2021 (Update 3) that were released on 17 Dec 2021

Overview

There are a couple of vulnerabilities that have been reported in Log4j CVE-2021-44228 (LogShell) and CVE-2021-45046, which is a popular library. Adobe ColdFusion uses these libraries.

Adobe released updates for 2018 (Update 13) and 2021 (Update 3) to address these vulnerabilities on 17 Dec, 2021.

A new vulnerability CVE-2021-45105 was reported on 18th Dec 2021, which Apache addressed by releasing a newer version of Log4j (2.17.0). Even though Adobe ColdFusion uses this library, we did not find any exploitable attack vector or mechanism with Adobe ColdFusion.

As a best practice, we recommend that you upgrade the Log4j2 libraries to version 2.17.0.

Note: The zip packages all the updated jars for ColdFusion, Performance Monitoring Toolset, and API Manager.

ColdFusion (2021 release) and (2018 release)

  1. Stop the ColdFusion instance.

  2. Navigate to the directory <cf_root>\<cf_instance>\lib.

    Remove the following jars:

    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-to-slf4j-2.16.0.jar

    and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).

    • log4j-core-2.17.0.jar,
    • log4j-api-2.17.0.jar
    • log4j-to-slf4j-2.17.0.jar
  3. Restart the ColdFusion instance.

  4. Repeat the procedure for all other ColdFusion instances. 

Performance Monitoring Toolset 2021 and 2018

  1. Apply the latest Performance Monitoring Toolset updates:

  2. Stop the Performance Monitoring Toolset and datastore services.

  3. Navigate to the directory <PMT_Home>\lib

  4. Remove the following jars:

    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar

    and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).

    • log4j-core-2.17.0.jar,
    • log4j-api-2.17.0.jar
  5. Navigate to the directory <PMT_Home>\datastore\lib.

  6. Remove the following jars:

    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-1.2-api-2.16.0.jar

    and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).

    • log4j-core-2.17.0.jar
    • log4j-api-2.17.0.jar
    • log4j-1.2-api-2.17.0.jar
  7. Restart the Performance Monitoring Toolset and datastore services. 

API Manager 2021, 2018, and 2016

  1. To apply the latest update, follow the instructions in ColdFusion API Manager updates.

  2. Stop the API Manager server.

  3. Navigate to the directory <APIM_Home>\lib.

  4. Remove the following jars:

    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-slf4j-2.16.0.jar
    • log4j-jul-2.16.0.jar

    and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).

    • log4j-core-2.17.0.jar,
    • log4j-api-2.17.0.jar
    • log4j-slf4j-impl-2.17.0.jar
    • log4j-jul-2.17.0.jar
  5. Restart API Manager.

 Adobe

更快、更輕鬆地獲得協助

新的使用者?