To be clear, I don’t work for Adobe, but some may regard me as one of the more prolific bloggers here on the CF portal. Those on older versions should consider the above as they seek to try to rectify things on their own, and follow the resources I offered, where others are sharing their experiences. And while some resources propose you can “look for log4j jars”, to determine if you have the vulnerable version’s jar, do beware that java jars can themselves contain jars, so simply searching a given folder in the file system for filename patterns will not necessarily be a “good enough” way to really prove you have “no vulnerable libraries”.Īgain, for now, we using CF2021 or 2018 should await an update from Adobe. Third, you may hear of people proposing to strip out various classes from the log4j jars, and that too is not a supported solution nor is it a trivial undertaking. Adobe has never formally supported our changing things like that. Second, in the forum thread above you will see that while some are trying to update the log4j libraries within CF themselves, it’s not generally going well. I can confirm that I have added this jvm arg to older CF versions (2016, 11, and 10), and there was no problem in doing it. There’s contending discussion going on in the CF and IT world about whether “old” log4j versions–before 2.0–are “not vulnerable” or can’t be declared as such because the Apache team responsible no longer supports them and so are not saying either way. (Beware in concluding that old CF versions have older log4jlibraries that are therefore “not vulnerable”. For now, it’s the best option it seems we have. That arg’s usefulness depends on the log4j version in use, and so depends on the CF version. What can you consider doing before Adobe offers an update?įirst, in both resources above you will see that there’s a JVM arg that some are recommending. I’ll try to do the same in this post, or will at least offer a comment below. I’m sure both resources will be updated when Adobe releases an update. Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee It’s been updated daily since the news started Friday and includes many suggestions and ideas to chew on.Īs for a single blog post that also is trying to pull together “what can you do” (especially until Adobe may offer a fix), see Pete Freitag’s blog post from Friday (also updated daily since): Zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) Until Adobe offers an update (or for those on older CF versions), I would recommend anyone interested in this matter to look into the discussion happening in the thread at the Adobe CF community forum: Where can you learn more, until Adobe offers an update? You can see if/when Adobe updates those on the CF updates page for CF2021 and for CF2018.įolks on all CF versions should read on. When there is a new CF update, we should expect to be an update only for CF20, the only two supported versions of CF. (That could change within hours of my posting this.) Update: again, within hours of my posting this, they created an “official” page with information, but as yet no update. Is there an update to be made available for CF2021 or 2018? And what about those not on those supported CF versions?įor now, there’s no new update from Adobe. Most important, you may lament that you’ve heard very little (to now) from Adobe on their response to this situation. The general theme is that since log4j underlies nearly all Java applications, this is tantamount to a worldwide IT pandemic.Īnd you have also likely heard that since CF runs on Java, and includes log4j, we who use ColdFusion must be concerned and your stakeholders may be demanding that you “take action”. It’s very likely you have been hearing for days about the vulnerability in the log4j Java library, which has been discussed widely in IT circles since late Thursday Nov 10. Updated since original post: Within hours of my posting this, Adobe released an information page with more on the currently available responses (as yet, still no update). Finally, I offer a bit of opinion on how things have gone so far. And I share the current JVM arg being proposed as “the solution” to mitigate the vuln (-Dlog4j2.formatMsgNoLookups=true). TLDR: I provide here resources with suggestions of what to do about the log4jshell vulnerability, while we await an update from Adobe.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |