Latest Adobe Security Hotfix for Log4j vulnerability

Log4j vulnerability on ColdFusion

New security vulnerability Log4j is a very critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.

Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.
ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021.

Meanwhile, they recommend that ColdFusion users apply the following workarounds/mitigations steps until this patch is released.

ColdFusion 2021
ColdFusion 2021 comes with Log4j versions 2.13.3 and 1.2. The former is impacted by this vulnerability, while the latter is not.
Steps to follow for the fix:

1. Stop the server.
2. Navigate to the directory \\bin.
3. Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.
4. If using any third-party libraries that use Log4j2, and hence vulnerable, search for log4j-core in  directory. If the Log4j2 version (<= 2.10 and >=2.0-beta9)  is found, remove the JndiLookup class from the classpath like below, otherwise skip this step.
   1. If the Operating System is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path: org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core- 2.x.jar. X is the version number you found in the folder.
   2. If the Operating System is non-windows, then remove the JndiLookup class from the classpath : “zip -q -d log4j-core-2.x.jar  org/apache/logging/log4j/core/lookup/JndiLookup.class”. X is the version number you found in the folder.
5. Restart the instance.
6. Repeat the procedure for all other instances.

ColdFusion 2018
ColdFusion 2018 comes with  log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted.
Steps to follow for the fix:

1. Stop the server.
2. Navigate to the directory \\bin.
3. Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.
4. Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed. The new file can be downloaded from here. If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip this step.
   1. The temporary location must be outside ColdFusion’s lib directory or classpath, in general. You can place it outside ColdFusion’s root directory.
5. If you are using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in  directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath as mentioned below, otherwise skip this step:
   1. If the Operating System is Windows, then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number that you found in the folder.
   2. If the Operating Systems is non-Windows, then remove the JndiLookup class from the classpath : “zip -q -d log4j-core-2.x.jar  org/apache/logging/log4j/core/lookup/JndiLookup.class”. X is the version number that you found in the folder.
6. Restart the instance and delete log4j-core-2.9.0.jar from the temporary location.
7. Repeat the procedure for all other instances.

ColdFusion 2016
ColdFusion 2016 comes with Log4j 1.2, which is not impacted. If the installation has any third-party libraries that use Log4j2, follow the steps listed for third party libraries above for version 2018 or 2021.

Performance Monitoring Toolset 2021
Performance Monitoring Toolset 2021  comes with log4j 2.11.1 and log4j 2.3. Both versions are impacted.

1. Stop the Performance Monitoring Toolset and datastore services.
2. Navigate to the directory \datastore\config.
3. Open the file jvm.options, add -Dlog4j2.formatMsgNoLookups=true argument in #log4j2 section. Save the file.
4. Navigate to the directory \lib.
5. Move the file log4j-core-2.3.jar to a temporary location.
6. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
7. Restart the Performance Monitoring Toolset and datastore services.
   1. Delete log4j-core-2.3.jar from the temporary location.

Performance Monitoring Toolset 2018
Performance Monitoring Toolset 2018 comes with log4j 2.9.1 and log4j 2.3. Both versions are impacted.

1. Stop the Performance Monitoring Toolset and datastore services.
2. Navigate to the directory \datastore\lib.
3. Move the file log4j-core-2.9.1.jar to a temporary location.
4. Copy the patched log4j-core-2.9.1.jar file with JNDILookUp class removed. The file can be downloaded from here.
5. Navigate to the directory \lib.
6. Copy the file log4j-core-2.3.jar to a temporary location.
7. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
8. Restart the Performance Monitoring Toolset and datastore services.
   Delete log4j-core-2.3.jar and log4j-core-2.9.1.jar from the temporary location.

API Manager 2021, 2018, and 2016
API Manager 2021, 2018, and 2016 comes with log4j 2.3. This version is impacted.

1. Stop the API Manager server (\bin) and Analytics (database\analytics\bin) service.
2. Navigate to the directory \lib.
3. Move the file log4j-core-2.3.jar to a temporary location.
4. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
5. Restart the Analytics service and the API Manager server.
   You can now delete log4j-core-2.3.jar from the temporary location.

More updates will be found in this Adobe article.