Pete Freitag Pete Freitag

Log4Shell Vulnerability Timeline

Updated: March 08, 2022
java

When I created a blog entry covering Log4Shell log4j on ColdFusion, and said I would update it as new information comes in, I didn't realize I would be updating it several times a day for the past week.

I think this Log4Shell / Log4j issue can be confusing to keep track of with all the new developments, so I decided to create a timeline.

I will try to keep this timeline updated as the story develops (why do I do this to myself :-)

2021-11-24
Issue discovered by Chen Zhaojun of the Alibaba Cloud Security Team, and reported to the Apache Software Foundation.
2021-12-01
Earliest known exploit attempt 2021-12-01 04:36:50 UTC reported by CloudFlare.
2021-12-06
Log4j released version 2.15.0 (mitigates the known attack vectors at the time)
2021-12-09
Issue was made public on Twitter
2021-12-10
CVE-2021-44228 published, Apache log4j Security Page updated. The world starts patching, and begins to realize the significance of this issue.
2021-12-13
Log4j 2.16.0 is released removing the vulnerable class all together, a less severe DOS issue was fixed (CVE-2021-45046).
2021-12-14
CVE-2021-45046 is published.
2021-12-17
CVE-2021-45046 is upgraded from moderate to critical, as it was determined that a remote code execution vulnerability was still possible in 2.15.0.
2021-12-17
Log4j 2.17.0 released.
2021-12-18
CVE-2021-45105 published, log4j 2.16.0 and below vulnerable to a DOS.
2021-12-28
Log4j 2.17.1 released, CVE-2021-44832 log4j 2 through 2.17.0 vulnerable to a RCE when attacker can control configuration.
2022-01-18
Additional Log4j 1.2 vulnerabilities published: CVE-2022-23307, CVE-2022-23305, CVE-2022-23302

Sources Used:


Like this? Follow me ↯

Log4Shell Vulnerability Timeline was first published on December 18, 2021.

If you like reading about log4j, java, or security then you might also like:

Want Security Advisories via Email?

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).

Comments

Hi Pete,

I'm wondering if you would have any insight into why Adobe hasn't commented on or addressed the existence of log4j 1.2.15 in /{ColdFusion2018}/{cfusion}/lib and log4j 1.2.17 in /{ColdFusion2018}/{cfusion}/jetty/lib/ext. Both of those are also now considered to have severe vulnerabilities discussed in CVE-2021-4104 and CVE-2019-17571.

Thanks!
by Scott Kroyer on 12/20/2021 at 2:13:28 PM UTC
Scott, it's that the updates for CF (3 for CF2021 and 13 for CF2018) DO in fact update those older log4j 1.2* jars. They modified them to remove the vulnerable jmsappender class. So yes, the old log4j 1.x jars are there, but not the ORIGINAL ones. If you or your folks run a scan, you will see it lacks the vulnerable class.
by Charlie Arehart on 12/21/2021 at 1:18:08 AM UTC
Sir. Do you have insight when a patch might be out for log4j 2.17 for CF2021. Also my googlefu is lacking and I haven't found any simple directions on how to manually install log4j on CF. Any suggestions/direction would be greatly appreciated.
by Calvin on 12/21/2021 at 12:16:51 PM UTC
@Calvin - Adobe have posted a KB saying that you can update the jars yourself, look in here for the link / latest info: https://www.petefreitag.com/item/923.cfm
by Pete Freitag on 12/21/2021 at 6:21:08 PM UTC
Sir, Thanks for the info. I replaced the the api,core and slf4j files. However I also see a log4j.jar file in the cfusion/lib directory. I do not see its replacement in apache-log4j-2.17.0-bin.zip file I received from the apache site. Am I missing something. Again excuse my ignorance.
by Calvin on 12/21/2021 at 8:14:50 PM UTC

Post a Comment