Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
By Pete Freitag
There is a critical security vulnerability (CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications. It is included in both Adobe ColdFusion and Lucee for example.
Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. I'll update this entry as needed.
TLDR: Adobe ColdFusion users should upgrade to either ColdFusion 2018 update 14 or ColdFusion 2021 Update 4 (both now use log4j version 2.17.2). Lucee has released version 220.127.116.11 with Log4j 2.17.2, earlier versions used log4j 1.x.
What versions of log4j are vulnerable to CVE-2021-44228?
According to the Log4j Security Page:
Versions Affected: all versions from 2.0-beta9 to 2.14.1. Fixed in Log4j 2.15.0.
Here's the jira issue for when the JNDI lookup feature was added in 2.0-beta9: LOG4J2-313
Another CVE: CVE-2021-45046 (2021-12-14)
It appears that the fix in 2.15.0 and the JVM mitigation was incomplete. Version 2.16.0 was released.
CVE-2021-45046 Upgraded to Critical (2021-12-17)
Another issue was found in 2.15.0, a more serious / critical RCE. Fixed in 2.16.0
Another CVE: CVE-2021-45105 (2021-12-17)
A Denial of Service (DOS) issue in 2.16.0 and below, fixed in 2.17.0
Another CVE: CVE-2021-44832 (2021-12-28)
Log4j versions 2.17.0 and below are vulnerable to a RCE when the attacker can modify the log4j configuration. 2.17.1 was released to address this issue.
How can I mitigate this issue?
Here's a list of possible mitigations, initially sourced from LunaSec's blog:
- Update your log4j jars to latest patched version of Log4j 2:
2.15.0(see CVE-2021-45046) 2.16.0(see CVE-2021-45105) 2.17.0(see CVE-2021-44832) 2.17.1
- Add JVM arg:
-Dlog4j2.formatMsgNoLookups=true(only works on log4j 2.10.0 and up). Incomplete fix, still has DOS see above: CVE-2021-45046, CVE-2021-45105, CVE-2021-44832
- According to Microsoft's Response to this issue, you can set an environment variable instead of the JVM argument:
LOG4J_FORMAT_MSG_NO_LOOKUPS=true- incomplete for CVE-2021-45046, CVE-2021-45105, CVE-2021-44832
- All of the above require restarting the java process (restart ColdFusion or Lucee).
A few additional mitigations that you can consider:
- Use your network firewall to ensure that no egress internet traffic leaves the server. This might be tricky depending on your requirements, but if the server cannot make a network request to the internet, this has a big impact on the severity of this. This could also be done at the jvm level using a java security policy or sandbox security in ColdFusion. You may still have DOS issues to consider with this approach.
- If you cannot use the jvm arg because you have log4j2 2.0 - 2.10.0 and for some reason cannot update to version 2.17.0 then it should be safe remove the offending
JndiLookup.classclass file from the jar. Details. You may still be vulnerable to CVE-2021-45046, CVE-2021-45105.
- Many Web Application Firewalls (WAF) provide detection / blocking of Log4Shell attack patterns. However you should never treat a WAF as a 100% solution. Many if not all WAF patterns could be evaded, but they can still block many attempts (defense in depth). FuseGuard a WAF written in CFML has added a Log4ShellFilter in version 3.4.0
Adobe ColdFusion 2018 and 2021 include potentially vulnerable versions of log4j2. I notified the Adobe Product Security Incident Response Team (PSIRT) early Friday (2021-12-10) morning of the issue. Adobe has published a KB article on 2021-12-14, and on 2021-12-17 released ColdFusion 2021 Update 3, and ColdFusion 2018 Update 13 to address CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16.0.
To address CVE-2021-45105 and CVE-2021-44832 apply ColdFusion 2018 update 14 or ColdFusion 2021 Update 4 (which updates log4j version to 2.17.2). Previous advice from Adobe is no longer relevant after update 4/14
KB article 1, KB Article 2
Some versions early versions of ColdFusion 2018 include a version of log4j before 2.10.0 and greater than 2.0 which means that JVM arg mitigation doesn't work, so you would need to update to the latest version first.
My suggestion for people using ColdFusion would be to update to the latest patched version of ColdFusion, and then add the JVM arg
-Dlog4j2.formatMsgNoLookups=true to the
java.args line in your
jvm.config file. Then if you are on CF2018/2021 follow their KB article to update log4j to version 2.17.0 (or 2.17.1)
Update 2022-05-10 Adobe released ColdFusion 2021 update 4, ColdFusion 2018 update 14 which update log4j version to 2.17.2
Update 2021-12-17 Since Adobe has released an update for 2018, and 2021 which bring the log4j version to 2.16.0, I still don't think it is a bad idea to add the JVM mitigation, incase there are any third party libraries on your server now or in the future.
ColdFusion 2016, update 17 appears to ship with log4j-1.2.17, see info below about log4j 1.x versions.
Discussion about this issue can be found on Adobe Forums.
From what I have seen, lucee ships with log4j 1.2.x which is not listed as an affected version for CVE-2021-44228. See more details about log4j 1.x below.
The Lucee team has posted a message stating: Lucee is not affected by the Log4j JNDI exploit.
Where else should I look?
You might have a third party library that uses log4j as a dependency. Here's a list of some examples:
- spreadsheet-cfml - version 3.1.0 included log4j-api-2.14.1.jar, version 3.2.1 has been released which includes log4j-api-2.16.0.jar. Version 3.2.0 included log4j-api-2.15.0.jar
It is a good idea to scan your server hard drive for files with log4j in the name, for example on linux servers you can run this:
find / | fgrep log4j
Fixinator has been updated to scan for vulnerable log4j jars, and also flags
[email protected]if installed or listed as a dependency in your box.json. Fixinator does not do a deep scan within jars at this time. Some have found this tool handy for scanning jars: Log4JShell-Bytecode-Detector.
CISA has created a log4j affected products db which you can check.
Are only certain versions of Java Vulnerable?
There is a lot of confusion around this point. My understanding is that the version of java might make some attack vectors (such as JNDI LDAP) safe by default, but not all attack vectors. So the possibility still exists in any version of java from my understanding.
Is log4j 1.x vulnerable to CVE-2021-44228?Again, it is not currently listed as an affected version, but it is also considered end of life, and they do not plan to fix any issues (including prior security issues already known). According to comments on here it appears that the JMSAppender in log4j 1.x may have a similar issue , however you'd need to have the JMSAppender enabled. You can check to make sure you are not using the JMSAppender to confirm.
Update: JMSAppender issue has been given identifier: CVE-2021-4104
Check log4j configuration to make sure you don't use
SocketAppender (CVE-2019-17571) such as:
I have published a ton more info specific to Log4j 1.2.x vulnerabilities.
DISCLAIMER: The content (and links) on this page are provided as is, without warranty of any kind. Use at your own risk. You should consult with your software vendors to ensure that you are properly protected.
Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee was first published on December 10, 2021.
If you like reading about coldfusion, lucee, java, security, or log4j then you might also like:
- Spring4Shell and ColdFusion
- OpenSSL and ColdFusion / Lucee / Tomcat
- Log4j 1.x Vulnerability Mitigation Guide
- Log4Shell Vulnerability Timeline
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.