Expand my Community achievements bar.

SOLVED

AEM FORMS JEE : Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Avatar

Level 2

Regarding the new Apache Log4j vulnerability as per (CVE-2021-44228)

The AEM Forms on JEE 6.5.8 uses the log4j 2.10, 2.11.1 versions. These versions are affected by this vulnerability. Could anyone else using it please confirm the same.

 

There may be a temporary workaround to add "‐Dlog4j2.formatMsgNoLookups=true" but not a complete fix.

 

I have already opened a ticket on the Daycare site but haven't had any response yet.

1 Accepted Solution

Avatar

Correct answer by
Employee

The impact of vulnerability CVE-2021-44228 reported in log4j2 versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1 was analysed for AEM Forms and it was found to be impacted as it bundles different versions of log4j2 in different released versions.

The details of the analysis and impacted distributions together with mitigation steps to be performed are outlined at [1]. In case of any issues/questions/clarifications, you may contact Adobe Support.

 


[1]: https://helpx.adobe.com/experience-manager/kb/aem-forms-vulnerability-cve-2021-44228.html?wcmmode=di...


Thanks,
Mayank

 

View solution in original post

7 Replies

Avatar

Employee

AEM ships with an EOL version of log4j (1.2.17) which is only impacted if the JMSAppender class is used. This is not the case for OOTB AEM.

1. ls Adobe aware of this Apache log4J library vulnerability?
Yes. Adobe is aware of this Apache tog4j library vulnerability.
2. Does Adobe use the Apache log4J library Impacted by this Issue?
Yes. This library is widely used in many applications and services across the industry, including Adobe.
3. Is my data Impacted?
The investigation is ongoing but, to date, Adobe has discovered no indication to suggest customer data has been impacted as a result of this issue.
4. What Is Adobe doing to address the vulnerability?
Adobe is investigating potential impact and is taking action including updating affected systems to the latest versions of Apache log4j recommended by the Apache Software Foundation.
S. How Is Adobe addressing this vulnerability with Its vendors/suppliers/partners?
Adobe is reaching out to our vendors to determine potential impact now.

Avatar

Level 2

Hi Mayank,

 

Could you confirm that you have also looked in to AEM Forms on JEE ?

 

Is it advisable to mitigate the impact with the use JVM parameters ?

i.e, "‐Dlog4j2.formatMsgNoLookups=true"

Avatar

Level 4

Can we expect some official communications on how to mitigate this any time soon?

Avatar

Employee

Yes, Adobe will be releasing a public documentation soon on this. For now, here are the Mitigation steps suggested by Engineering:

 

Mayank_Tiwari_0-1639486499330.png

 

Avatar

Correct answer by
Employee

The impact of vulnerability CVE-2021-44228 reported in log4j2 versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.14.1 was analysed for AEM Forms and it was found to be impacted as it bundles different versions of log4j2 in different released versions.

The details of the analysis and impacted distributions together with mitigation steps to be performed are outlined at [1]. In case of any issues/questions/clarifications, you may contact Adobe Support.

 


[1]: https://helpx.adobe.com/experience-manager/kb/aem-forms-vulnerability-cve-2021-44228.html?wcmmode=di...


Thanks,
Mayank