Adobe Experience Manager Forms

razzd31 · 12/13/21

Regarding the new Apache Log4j vulnerability as per (CVE-2021-44228)

The AEM Forms on JEE 6.5.8 uses the log4j 2.10, 2.11.1 versions. These versions are affected by this vulnerability. Could anyone else using it please confirm the same.

There may be a temporary workaround to add "‐Dlog4j2.formatMsgNoLookups=true" but not a complete fix.

I have already opened a ticket on the Daycare site but haven't had any response yet.

Mayank_Tiwari · 12/15/21

The impact of vulnerability CVE-2021-44228 reported in log4j2 versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1 was analysed for AEM Forms and it was found to be impacted as it bundles different versions of log4j2 in different released versions.

The details of the analysis and impacted distributions together with mitigation steps to be performed are outlined at [1]. In case of any issues/questions/clarifications, you may contact Adobe Support.

[1]: https://helpx.adobe.com/experience-manager/kb/aem-forms-vulnerability-cve-2021-44228.html?wcmmode=di...

Thanks,
Mayank

View solution in original post

Mayank_Tiwari · 12/13/21

AEM ships with an EOL version of log4j (1.2.17) which is only impacted if the JMSAppender class is used. This is not the case for OOTB AEM.

1. ls Adobe aware of this Apache log4J library vulnerability?
Yes. Adobe is aware of this Apache tog4j library vulnerability.
2. Does Adobe use the Apache log4J library Impacted by this Issue?
Yes. This library is widely used in many applications and services across the industry, including Adobe.
3. Is my data Impacted?
The investigation is ongoing but, to date, Adobe has discovered no indication to suggest customer data has been impacted as a result of this issue.
4. What Is Adobe doing to address the vulnerability?
Adobe is investigating potential impact and is taking action including updating affected systems to the latest versions of Apache log4j recommended by the Apache Software Foundation.
S. How Is Adobe addressing this vulnerability with Its vendors/suppliers/partners?
Adobe is reaching out to our vendors to determine potential impact now.

razzd31 · 12/13/21

Hi Mayank,

Could you confirm that you have also looked in to AEM Forms on JEE ?

Is it advisable to mitigate the impact with the use JVM parameters ?

i.e, "‐Dlog4j2.formatMsgNoLookups=true"

flyaround · 12/13/21

..or by removing of JndiLookup from the classpath?

Mayank_Tiwari · 12/13/21

Yes, this is one of the mitigations steps.

SeanLapointe · 12/14/21

Can we expect some official communications on how to mitigate this any time soon?

Mayank_Tiwari · 12/14/21

Yes, Adobe will be releasing a public documentation soon on this. For now, here are the Mitigation steps suggested by Engineering:

Mayank_Tiwari · 12/15/21

The impact of vulnerability CVE-2021-44228 reported in log4j2 versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1 was analysed for AEM Forms and it was found to be impacted as it bundles different versions of log4j2 in different released versions.

The details of the analysis and impacted distributions together with mitigation steps to be performed are outlined at [1]. In case of any issues/questions/clarifications, you may contact Adobe Support.

[1]: https://helpx.adobe.com/experience-manager/kb/aem-forms-vulnerability-cve-2021-44228.html?wcmmode=di...

Thanks,
Mayank