Adobe Campaign Classic v7 & Campaign v8

vishalkumarjha24 · 12/11/21

Hello,

A critical vulnerability was found in the popular Java logging framework log4j.

The whole story can be found here: Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec

This new Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) was reported on Friday (10 Dec 2021)

We're on ACC v7 and I'd appreciate any inputs from this community to understand if this vulnerability affects services hosted in ACC v7.
If so what are the corrective measures to overcome this.

Thanks,
Vishal

Milan_Vucetic · 12/11/21

Hi, for the all comunity memebers who work with on-premise solutions you can use the following code on your exposed servers (usualy tracking ones) to search the logs in order to see if attacks were tried:

Where posible upgrade you log4j 2 on latest 2.15.0 version

Nice way to see if you are exposed to this threat: Start netcat parallel to your app:

then type the following in the app where gets logged (ex. the query string of your search):

If you then see a lot of garbage emojies in the netcat console you are vulnerable!

Sorry about pictures above. Article just won't to accept any code even if code tags used.

Regards,

Milan

View solution in original post

Milan_Vucetic · 12/11/21

Hi, for the all comunity memebers who work with on-premise solutions you can use the following code on your exposed servers (usualy tracking ones) to search the logs in order to see if attacks were tried:

Where posible upgrade you log4j 2 on latest 2.15.0 version

Nice way to see if you are exposed to this threat: Start netcat parallel to your app:

then type the following in the app where gets logged (ex. the query string of your search):

If you then see a lot of garbage emojies in the netcat console you are vulnerable!

Sorry about pictures above. Article just won't to accept any code even if code tags used.

Regards,

Milan

vishalkumarjha24 · 12/13/21

Thanks a lot, Milan

So, hosted customers are not affected by the Log4j Remote Code Execution Vulnerability, right?

Thanks,

Vishal

Milan_Vucetic · 12/13/21

Hi @vishalkumarjha24,

Yes, not affected.

adithyacs86 · 12/22/21

Hi Milan,

The code provided above are I believe for on prem in Linux OS, do we know how to check if the Adobe Campaign is installed in Windows servers.

Thanks,
Adithya

Marcel_Szimonisz · 12/13/21

We are on 7.0 21.1 build 9282 and it's using

log4j-1.2.11.jar

it's under

$(XTK_INSTALL_DIR)/java/lib/log4j-1.2.11.jar

this version does not contain the jndilookup library which is added from version 2

So we are good, right? at least for this vulnerability

Milan_Vucetic · 12/13/21

Hi @Marcel_Szimonisz

Yes, you are good.

Adobe Campaign Classic v7 & Campaign v8

Log4j For Adobe Campaign

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe