Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee

Thanks for putting this together, Pete! This is such crazy stuff!

Hey Pete, thanks so much for this. Any thoughts on this older CVE that does appear to impact Lucee? https://www.cvedetails.com/cve/CVE-2019-17571/ Thanks!

Would this apply to CF on Linux and Windows? Where do you find the current version of log4j being used? Thanks for this info!

Pete, you are the greatest. I really appreciate the time and insight you're sharing with everyone on this. Many thanks!

Thanks for the information Pete!

Any thoughts on people still using CF 9 and earlier? seems like we are using ColdFusion9/runtime/../lib/log4j-1.2.15.jar scary times

hi pete, i'm primarily a developer but have been tasked with handling this issue by a client because the "ColdFusion" guy. we're running CF11 with Java 1.8.0_130. it seems to me that we should not be affected or, at least there's nothing we can really do here outside of a full CF upgrade. is it possible to update the existing Log4j 1.2.15 libraries used by CF to the new version (2.15.0) with the fix? thanks, eric

Thanks! I'm primarily operations - but have what's probably a question with an obvious answer. With respect to this - is there any difference in placing -Dlog4j2.formatMsgNoLookups=true in: 1) placing iot in CFadmin window under JVM Arguments, or, 2) in the actual JVM.config? My understanding is that they are one and the same for this purpose - but wanted to make sure on this one.

Has anybody been able to reproduce a POC of this issue on Coldfusion?

Pete, thank you for pulling this together, it’s most helpful. FYI, I noticed yesterday that LunaSec’s recommendation to modify message patterns, %m{nolookups}, has been redacted as bad practice and is no longer a recommended mitigation.

Adobe has officially released mitigation steps for each version of ColdFusion. This until if/when they release a patch themselves. https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

Thanks, Pete. Love your services! Adobe's mitigation steps are mentioning only version 2.9.0 of this JAR file. Our CF servers look to be using 2.13.3. Sorry, but I'm not clear if this affects us (CF2018) and if we should replace the file as Adobe suggests? Can you clarify? We HAVE put in the JVM arguments.

@Eric @Pete You most definitely can not just go from 1.x to 2.x (google it - the apache page mentions this). @Eric - you might not be vulnerable to this but CF11 has not been patched in a long while and in particular there was a critical security flaw fixed in march but only back to CF2016 - if your CF11 server is on the internet it's only a matter of time (and it might already be) until it's compromised. I highly suggest you update - which sucks because going from CF11 to CF2018/2021 is almost definitely going to break at least some code. We had issues just going from 2016 to 2018... You should really update java too - that should be painless - just requires installing it and pointing CF to the new JVM path in the admin. There are definitely existing vulnerabilities in 8u130...quite a few.

Hi Pete, On the forums there are lots of references to just swapping out the log4j libraries for the 2.15.0 updates. Do you have any thoughts on this since Adobe didn't seem to reply to any of the questions surrounding that? Thanks for all your hard work on this cavalcade of suck that surrounds this vulnerability.

@Pete - But of course, we had to throw more gasoline on the fire. Again, many thanks on the continued coverage of this whole thing.

Thank you for providing this examination of the problem/solution. I appreciate it.

Adobe did (finally) address this: https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

Hi Pete, thanks for the great info. Once we are patched (setting in place and 2.16 jars in my case), is there a way to determine if a server had been previously compromised?

Can this be mitigated by using application firewall (WebKnight) to block multiple : or $ or {}?

@Pete Freitag this is very exciting news please keep us up to date on the FuseGuard filter.

There is a minor update on the Adobe patches. If you applied the QOQ one-off hot fixes, they will have to be reapplied, hf201800-4212383 and hf202100-4212383.

I just applied update 3 for CF 2021 to my dev box and the query of queries hotfix after update 2 stopped working. I had to re-copy the hotfix jar file and restart the server.

Hey Pete, Where are those hotfixes located for the QoQ issue?

Email Adobe support at cfsup@adobe.com for the QOQ patches.

FYI: I have successfully started my development ACF2018 server under CommandBox by converting log4j.properties to log4j.xml using: java org.apache.log4j.config.Log4j1ConfigurationConverter --in=cfusion/lib/log4j.properties --out=cfusion/lib/log4j.xml --verbose I then removed log4j.properties and replaced all Log4j JARs with log4j-core-2.17.1.jar, log4j-api-2.17.1.jar, and log4j-to-slf4j-2.17.1.jar. It seems be working fine so far. This does not work with a standalone ACF2018 install(Unable to initialise Logging service: java.lang.NoClassDefFoundError: org/apache/log4j/Layout).

Hi Pete, I have installed the CF2021 patch, and copied log4j 2.17.1 version files to C:\ColdFusion2021\cfusion\lib folder. However, I found that in C:\ColdFusion2021\cfusion\jetty\lib\ext there are old versions of log4j files, including log4j-1.2.17.jar and log4j-1.2.17.zip. Should/can I remove them as well?

Hi Pete, I have just freshly installed CF2021 on a server and brought it to update 3. When I went to swap the Log4J 2.16 components for 2.17, I noticed that there is another log4j.jar there as well. This one contains version 1.2.15. Why does Adobe leave these old versions here in parallel (or a third one if you count the one in Jetty?) Did I miss a hint? How do you handle these old versions? Thanks a lot!

I've noticed that recently scans are showing 'cf-logging.jar' as containing log4j version 1.2.15, and removing this jar appears to break the entire CF application. Do you know if there is a way to remove this old log4j safely, or update CF to stop using it? Even with the 2.17 log4j installed it seems to still rely heavily on this massively out of date version. Thanks!

Hey, John, do your last comment, I will note that someone else finally brought it up as a tracker ticket. I have shared an extended comment there which may help you if you're still having to deal with the issue. There's no solution, but info (including more from Pete that I point to) which may at least give people the proper understanding of the situation (and why it may not likely change for some time, if at all). See: https://tracker.adobe.com/#/view/CF-4213568 I'm certainly open to feedback, there or here, from Pete or anyone. As always, I'm just trying to help.

A further follow up on the QOQ problem. The fix hf202100-4212383 works for most queries. However, we found a problem with the order by statement, if we use the numeric value of the field, it fails. If we use the field name, it works. Ie: if we have order by set to ‘5 DESC,fieldb,fieldc’ - it fails If we have order by set to ‘fielda DESC, fieldb, fieldc’ - it works

Hey Pete, Does CF 2021 Update 5 removes the remaining log4j 1.x? We are still getting Nessus critical hits...