Adobe Security Hotfix for Log4j vulnerability

Log4j New Security Vulnerability on ColdFusion 

New security vulnerability Log4j is a very critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.

Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.
ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021.

Meanwhile, they recommend that ColdFusion users apply the following workarounds/mitigations steps until this patch is released.

TL;DR

1) Log4j, a widely used Java-based logging utility, has a severe vulnerability known as “Log4Shell” that allows remote code execution, enabling attackers to potentially take full control of an affected system. 

 

 

2) ColdFusion, a popular web application development platform built on Java, is susceptible to the Log4j vulnerability. Businesses relying on ColdFusion should immediately update Log4j to the latest version and strengthen their application’s security to mitigate risks. 

What is Log4j? 

Imagine a diligent librarian in the heart of your computer system, meticulously recording each action and event – that’s what this Java-based logging utility is all about. 

Log4j, a popular logging library created by the Apache Software Foundation, is a key element in many types of software applications, particularly those built using Java. 

It provides developers with a mechanism to log information during the execution of their programs, allowing them to keep track of each application’s activities, detect errors, and resolve issues more efficiently. 

In essence, Log4j acts as an internal recordkeeper, logging events such as system errors, user activities, and data processing steps. 

By generating logs in various output targets such as console, files, GUI components, or even network socket servers, it provides a comprehensive view of the system’s functioning and behavior. 

Moreover, it offers great flexibility by allowing developers to control logging behavior through configuration files, without modifying the application binary. 

Its versatility and ease of use have made Log4j a widely adopted tool in the software development landscape. 

ColdFusion 2021

ColdFusion 2021 comes with Log4j versions 2.13.3 and 1.2. The former is impacted by this vulnerability, while the latter is not.
Steps to follow for the fix:

  1. Stop the server.
  2. Navigate to the directory \\bin.
  3. Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.
  4. If using any third-party libraries that use Log4j2, and hence vulnerable, search for log4j-core in  directory. If the Log4j2 version (<= 2.10 and >=2.0-beta9)  is found, remove the JndiLookup class from the classpath like below, otherwise skip this step.
    1. If the Operating System is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path: org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core- 2.x.jar. X is the version number you found in the folder.
    2. If the Operating System is non-windows, then remove the JndiLookup class from the classpath : “zip -q -d log4j-core-2.x.jar  org/apache/logging/log4j/core/lookup/JndiLookup.class”. X is the version number you found in the folder.
  5. Restart the instance.
  6. Repeat the procedure for all other instances.

ColdFusion 2018

ColdFusion 2018 comes with  log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted.
Steps to follow for the fix:

  1. Stop the server.
  2. Navigate to the directory \\bin.
  3. Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.
  4. Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed. The new file can be downloaded from here. If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip this step.
    1. The temporary location must be outside ColdFusion’s lib directory or classpath, in general. You can place it outside ColdFusion’s root directory.
  5. If you are using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in  directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath as mentioned below, otherwise skip this step:
    1. If the Operating System is Windows, then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number that you found in the folder.
    2. If the Operating Systems is non-Windows, then remove the JndiLookup class from the classpath : “zip -q -d log4j-core-2.x.jar  org/apache/logging/log4j/core/lookup/JndiLookup.class”. X is the version number that you found in the folder.
  6. Restart the instance and delete log4j-core-2.9.0.jar from the temporary location.
  7. Repeat the procedure for all other instances.

ColdFusion 2016

ColdFusion 2016 comes with Log4j 1.2, which is not impacted. If the installation has any third-party libraries that use Log4j2, follow the steps listed for third party libraries above for version 2018 or 2021.

Performance Monitoring Toolset 2021

Performance Monitoring Toolset 2021  comes with log4j 2.11.1 and log4j 2.3. Both versions are impacted.

  1. Stop the Performance Monitoring Toolset and datastore services.
  2. Navigate to the directory \datastore\config.
  3. Open the file jvm.options, add -Dlog4j2.formatMsgNoLookups=true argument in #log4j2 section. Save the file.
  4. Navigate to the directory \lib.
  5. Move the file log4j-core-2.3.jar to a temporary location.
  6. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
  7. Restart the Performance Monitoring Toolset and datastore services.
    1. Delete log4j-core-2.3.jar from the temporary location.

Performance Monitoring Toolset 2018

Performance Monitoring Toolset 2018 comes with log4j 2.9.1 and log4j 2.3. Both versions are impacted.

  1. Stop the Performance Monitoring Toolset and datastore services.
  2. Navigate to the directory \datastore\lib.
  3. Move the file log4j-core-2.9.1.jar to a temporary location.
  4. Copy the patched log4j-core-2.9.1.jar file with JNDILookUp class removed. The file can be downloaded from here.
  5. Navigate to the directory \lib.
  6. Copy the file log4j-core-2.3.jar to a temporary location.
  7. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
  8. Restart the Performance Monitoring Toolset and datastore services.
    Delete log4j-core-2.3.jar and log4j-core-2.9.1.jar from the temporary location.

API Manager 2021, 2018, and 2016

API Manager 2021, 2018, and 2016 comes with log4j 2.3. This version is impacted.

  1. Stop the API Manager server (\bin) and Analytics (database\analytics\bin) service.
  2. Navigate to the directory \lib.
  3. Move the file log4j-core-2.3.jar to a temporary location.
  4. Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
  5. Restart the Analytics service and the API Manager server.
    You can now delete log4j-core-2.3.jar from the temporary location.

More updates will be found in this Adobe article.

Mitigating the Risks

It’s crucial to comprehend how to mitigate these risks, as your business infrastructure and proprietary information could be in jeopardy. 

Firstly, it is recommended to update the Log4j library to its latest version, which at this point is 2.15.0 or higher, as this version has patched the vulnerability. If an immediate update is not possible due to some reasons, a temporary workaround can be deployed. This could include removing the JndiLookup class from the Log4j library or limiting access to the application from untrusted networks. It is important to note that these are only temporary measures and the library should be updated to the latest version as soon as possible. 

In addition to the above, it is equally important to strengthen your ColdFusion application’s security. 

ColdFusion developers must adhere to secure coding practices and must regularly update their knowledge about evolving threats. Regular audits of the application for vulnerabilities and keeping the ColdFusion server up to date are also critical steps. In case of any vulnerability being detected, immediate action must be taken to patch it. 

Remember, a proactive approach to security can save your business from potential threats and breaches. It’s a continuous process and not a one-time task. 

Conclusion

Log4j is an important part of the security infrastructure of ColdFusion. 

A new security vulnerability has been identified in Log4Shell, which could lead to serious security risks for ColdFusion systems. 

It is important that organizations take steps to mitigate the risk by implementing best practices for securing their ColdFusion environment. 

This includes patching and updating Log4j as soon as possible, limiting user access to resources, and using additional monitoring tools to detect any suspicious activity. 

By taking these proactive steps, organizations can reduce the risk posed by the Log4j Security Vulnerability and help protect their ColdFusion systems from malicious attacks.