Expand my Community achievements bar.

Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Avatar

Level 2

Hello fellow members,

 

This new Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) was reported yesterday (read more).

We're on AEM 6.5 and understand that AEM uses a minimalist version of log4j over slf4j. I'd appreciate any inputs from this community to understand if this vulnerability affects sites/services hosted in AEM via. its OOTB logging capability. If so what are the corrective measures to overcome this.

 

Thanks

Ashin

30 Replies

Avatar

Level 2

If you look at /system/console/bundles, there is a SLF4J over LOG4J bundle in there and Log4J version 1.2.17. Currently, the issues seem to affect log4j 2.x.. it is unclear if 1.2.17 has any vulnerability. I submitted a P1 critical issue to Adobe to see what they have to say. 

Avatar

Level 2

Here is Adobe's response on the issue. They need time to figure out if log4j 1.2.17 that is inside AEM is affected by this security flaw.

 

[Q1] Is Adobe aware of this Apache log4j library vulnerability?

[Adobe] Yes. Adobe is aware of this Apache log4j library vulnerability.

 

[Q2] Does Adobe use the Apache log4j library impacted by this issue?

[Adobe] Yes. This library is widely used in many applications and services across the industry, including Adobe.

 

[Q3] Is my data impacted?

[Adobe] The investigation is ongoing.

 

[Q4] What is Adobe doing to address the vulnerability?

[Adobe] Adobe is investigating potential impact and is taking action including updating affected systems to the latest versions of Apache log4j recommended by the Apache Software Foundation.

 

[Q5] How is Adobe addressing this vulnerability with its vendors/suppliers/partners?

[Adobe] Adobe is reaching out to our vendors to determine potential impact now.

 

[Q6]Is there anything customers need to do to help protect themselves against this issue?

[Adobe] OOTB AEM ships with log4j v1.2.17 and CVE-2021-44228 seems to impact Apache Log4j 2 i.e. versions 2.0 to 2.14.1 To be absolutely sure, our engineering teams are testing if CVE-2021-44228 impacts any version of AEM. Once we have completed our investigation we will be updating you further. In the meantime, please ask your internal teams to check if they have used Apache Log4j 2 i.e. versions 2.0 to 2.14.1 in their custom projects inside AEM. If you are using Apache Log4j 2 i.e. versions 2.0 to 2.14.1 in your project then please work on it to rectify it asap.

Avatar

Level 2

Thanks jimmyc6767014 for sharing this. We'll need to wait to hear back from Adobe, I guess.

Avatar

Level 1

thanks for posting this. 

 

Where did you see this response from Adobe?   - as on the Adobe security center, https://helpx.adobe.com/security/Home.html

 

there is no update on CVE-2021-44228 and no updates since Nov 9th.

 

thanks

Avatar

Employee

All:

 

All versions of Adobe Experience Manager have been confirmed as "unaffected" by the log4j issue. Please reach out to your customer success manager (CSM) or account team for more information.

 

Regards,

Chris Parkerson

Adobe Security Team

Avatar

Level 1

@cparkers_Adobe Great news, does this cover related products Marketo and Bizible as well?

Avatar

Employee

I can confirm that Marketo Engage has been "patched" and Bizible is "unaffected." Please reach out to your CSM/account team for any additional information on these or other products.

 

Thank you,

Chris Parkerson

Adobe Security Team

Avatar

Employee

I can confirm that Analytics is "patched," Adobe Audience Manager is "patched," and Adobe Target is "unaffected." "Unaffected" means the product/service does not use the log4j library.

 

Regards,

Chris Parkerson

Adobe Security Team

Avatar

Level 3

Can you confirm if Launch Tag Extensions and Adobe.io stays Unaffected? 

Thanks.

Avatar

Level 1

Could you please provide the patch version applied for Marketo?  Our security team is asking for this info.  Thank you!  

As I understand it, Revenue Cycle Explorer is separate from Marketo.

Can you confirm the status of RCE please? 

Avatar

Level 2

The AEM Forms on JEE 6.5.8 uses the log4j 2.10, 2.11.1 versions. These versions are affected by this vulnerability. Could you please confirm the same.

 

I have already opened a ticket on the Daycare site but haven't had any response yet.

Avatar

Level 1

Thank you Chris.
Could you please confirm if AEM 6.3 is impacted with this log4j vuln? If yes, what are the guidelines from Adobe?

 

Avatar

Level 2

The AEM Forms on JEE 6.5.8 uses the log4j 2.10, 2.11.1 versions. These versions are affected by this vulnerability. Could anyone else using it please confirm the same.

 

There may be a temporary workaround to add "‐Dlog4j2.formatMsgNoLookups=true" but not a complete fix.

 

I have already opened a ticket on the Daycare site but haven't had any response yet.