When I created a blog entry covering Log4Shell log4j on ColdFusion, and said I would update it as new information comes in, I didn't realize I would be updating it several times a day for the past week.
I think this Log4Shell / Log4j issue can be confusing to keep track of with all the new developments, so I decided to create a timeline.
I will try to keep this timeline updated as the story develops (why do I do this to myself :-)
2021-11-24
Issue discovered by Chen Zhaojun of the Alibaba Cloud Security Team, and reported to the Apache Software Foundation.
2021-12-01
Earliest known exploit attempt 2021-12-01 04:36:50 UTC reported by CloudFlare.
2021-12-06
Log4j released version 2.15.0 (mitigates the known attack vectors at the time)
2021-12-09
Issue was made public on Twitter
2021-12-10
CVE-2021-44228 published, Apache log4j Security Page updated. The world starts patching, and begins to realize the significance of this issue.
2021-12-13
Log4j 2.16.0 is released removing the vulnerable class all together, a less severe DOS issue was fixed (CVE-2021-45046).
2021-12-14
CVE-2021-45046 is published.
2021-12-17
CVE-2021-45046 is upgraded from moderate to critical, as it was determined that a remote code execution vulnerability was still possible in 2.15.0.
2021-12-17
Log4j 2.17.0 released.
2021-12-18
CVE-2021-45105 published, log4j 2.16.0 and below vulnerable to a DOS.
2021-12-28
Log4j 2.17.1 released, CVE-2021-44832 log4j 2 through 2.17.0 vulnerable to a RCE when attacker can control configuration.
2022-01-18
Additional Log4j 1.2 vulnerabilities published: CVE-2022-23307, CVE-2022-23305, CVE-2022-23302
Sources Used:
Comments
Hi Pete, I'm wondering if you would have any insight into why Adobe hasn't commented on or addressed the existence of log4j 1.2.15 in /{ColdFusion2018}/{cfusion}/lib and log4j 1.2.17 in /{ColdFusion2018}/{cfusion}/jetty/lib/ext. Both of those are also now considered to have severe vulnerabilities discussed in CVE-2021-4104 and CVE-2019-17571. Thanks!
Scott, it's that the updates for CF (3 for CF2021 and 13 for CF2018) DO in fact update those older log4j 1.2* jars. They modified them to remove the vulnerable jmsappender class. So yes, the old log4j 1.x jars are there, but not the ORIGINAL ones. If you or your folks run a scan, you will see it lacks the vulnerable class.
Sir. Do you have insight when a patch might be out for log4j 2.17 for CF2021. Also my googlefu is lacking and I haven't found any simple directions on how to manually install log4j on CF. Any suggestions/direction would be greatly appreciated.
@Calvin - Adobe have posted a KB saying that you can update the jars yourself, look in here for the link / latest info: https://www.petefreitag.com/item/923.cfm
Sir, Thanks for the info. I replaced the the api,core and slf4j files. However I also see a log4j.jar file in the cfusion/lib directory. I do not see its replacement in apache-log4j-2.17.0-bin.zip file I received from the apache site. Am I missing something. Again excuse my ignorance.