The log4j exploit that came out today affects many Java applications and other apps that use this logging package. It is important that you check to see if any of your applications use log4j, and if they are a version that you should work on patching. Some examples of software that might use and need patching are ColdFusion, Lucee, Confluence, Zimbra, Solr, Minecraft. 

Here is an example to try to find the log4j jar files on a Linux system: 

sudo find / -iname log4j\*.jar

Here is an example to try to find the log4j properties files on a Linux system: 

sudo find / -iname log4j.properties

If you find that you have log4j jar files, you can then look to see if your version is affected and implement a fix if needed. 

We received an email this morning from Foundeo Inc., alerting us to a zero-day exploit in Adobe ColdFusion 2021, which was later updated to also include CF2018. However, much of the information is applicable to other software too. We’ve copied portions for you below:

“A critical vulnerability (CVE-2021-44228 / Log4Shell) exists in log4j which is a java library included in Adobe ColdFusion 2021. Details can be found here:

https://www.lunasec.io/docs/blog/log4j-zero-day/

It looks like there are three different ways to potentially mitigate this yourself:

1) Add JVM arg: -Dlog4j2.formatMsgNoLookups=true
2) Update log4j to version 2.15.0
3) Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files, I am guessing this would be done in log4j.properties

Option #1 is probably the safest choice, however I must point out that I haven’t been able to test each of these yet, so it is possible that it could break, you should test these before deploying. 

According to https://logging.apache.org/log4j/2.x/security.html

You can double check what versions you have on your server by searching the file system for log4j.”

Some info from Mark Takata at Adobe:

“As reported this morning, Log4J is vulnerable to a zero-day RCE exploit.
Details here:

https://www.lunasec.io/docs/blog/log4j-zero-day/

This is being classified as a severe vulnerability, as it can be exploited to allow unauthenticated remote code execution.

Details of the CVE here: https://www.randori.com/blog/cve-2021-44228/

The Adobe ColdFusion engineering & support teams are currently working with the security team to examine how this exploit affects a vanilla CF2021 and CF2018 install. Initial reports seem to indicate that installs of this nature do not utilize Log4J in a way as to be exploitable, but research is just beginning so please exercise a maximum of caution, especially if your installation utilizes Log4J in a way other than the default install.

An initial method of reducing/eliminating your vulnerability is to alter your jvm.config by adding the following line:

-Dlog4j2.formatMsgNoLookups=true

Once the config file is altered, you will need to do a restart of the environment to ensure it is taken up. I will share any further news about this situation as it comes in.”

Thanks again to Foundeo Inc. for passing this along to us!

Please let us know if you have any questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

three + 8 =