Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Forum|Forum|4 years ago
December 11, 2021
5 replies
38085 views

Hello fellow members,

This new Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) was reported yesterday (read more).

We're on AEM 6.5 and understand that AEM uses a minimalist version of log4j over slf4j. I'd appreciate any inputs from this community to understand if this vulnerability affects sites/services hosted in AEM via. its OOTB logging capability. If so what are the corrective measures to overcome this.

Thanks

Ashin

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

J

jimmyc6767014

If you look at /system/console/bundles, there is a SLF4J over LOG4J bundle in there and Log4J version 1.2.17. Currently, the issues seem to affect log4j 2.x.. it is unclear if 1.2.17 has any vulnerability. I submitted a P1 critical issue to Adobe to see what they have to say.

J

jimmyc6767014

Here is Adobe's response on the issue. They need time to figure out if log4j 1.2.17 that is inside AEM is affected by this security flaw.

[Q1] Is Adobe aware of this Apache log4j library vulnerability?

[Adobe] Yes. Adobe is aware of this Apache log4j library vulnerability.

[Q2] Does Adobe use the Apache log4j library impacted by this issue?

[Adobe] Yes. This library is widely used in many applications and services across the industry, including Adobe.

[Q3] Is my data impacted?

[Adobe] The investigation is ongoing.

[Q4] What is Adobe doing to address the vulnerability?

[Adobe] Adobe is investigating potential impact and is taking action including updating affected systems to the latest versions of Apache log4j recommended by the Apache Software Foundation.

[Q5] How is Adobe addressing this vulnerability with its vendors/suppliers/partners?

[Adobe] Adobe is reaching out to our vendors to determine potential impact now.

[Q6]Is there anything customers need to do to help protect themselves against this issue?

[Adobe] OOTB AEM ships with log4j v1.2.17 and CVE-2021-44228 seems to impact Apache Log4j 2 i.e. versions 2.0 to 2.14.1 To be absolutely sure, our engineering teams are testing if CVE-2021-44228 impacts any version of AEM. Once we have completed our investigation we will be updating you further. In the meantime, please ask your internal teams to check if they have used Apache Log4j 2 i.e. versions 2.0 to 2.14.1 in their custom projects inside AEM. If you are using Apache Log4j 2 i.e. versions 2.0 to 2.14.1 in your project then please work on it to rectify it asap.

ashin-wilsonAuthor

Thanks jimmyc6767014 for sharing this. We'll need to wait to hear back from Adobe, I guess.

S

saiprasadm

Hi,

Do we have any update from Adobe?

C

cparkers_Adobe

Adobe Employee

All:

All versions of Adobe Experience Manager have been confirmed as "unaffected" by the log4j issue. Please reach out to your customer success manager (CSM) or account team for more information.

Regards,

Chris Parkerson

Adobe Security Team

J

jmaki96

@cparkers_adobe Great news, does this cover related products Marketo and Bizible as well?

C

cparkers_Adobe

Adobe Employee

I can confirm that Marketo Engage has been "patched" and Bizible is "unaffected." Please reach out to your CSM/account team for any additional information on these or other products.

Thank you,

Chris Parkerson

Adobe Security Team

R

razzd31

The AEM Forms on JEE 6.5.8 uses the log4j 2.10, 2.11.1 versions. These versions are affected by this vulnerability. Could anyone else using it please confirm the same.

There may be a temporary workaround to add "‐Dlog4j2.formatMsgNoLookups=true" but not a complete fix.

I have already opened a ticket on the Daycare site but haven't had any response yet.

flyaround

Could you please keep us updated here?
As you already mentioned the AEM 6.5.x uses affected versions of Log4j.

R

razzd31

To be specific this version of AEM Forms JEE is not the standard offering. This is deployed on Jboss as WAR file and quite different from the AEM WCM.OSGI stack everyone here is aware of.

This was a replacement of Livecycle application used to design and deploy Forms and not for designing websites i.e, its a forms management system not a web content management system.

So I hope you understand AEM 6.5.x is not same as AEM Forms on JEE 6.5.x.

If you are using the usual AEM OSGI WCM for designing websites and so on, the advice from @cparkers_Adobe , should be applicable and hence not vulnerable.

ashin-wilsonAuthor

Thanks everyone for contributing towards this post. Adobe's premier support tells us (in green) that:

The below chart has been updated with Experience Manager (AEM) and Campaign status.

Product	Status
Analytics	Patched
Audience Manager	Patched
Target	Unaffected
Adobe Campaign Classic (hosted)	Unaffected
Adobe Experience Manager (v6.5, on premise)	Unaffected

Any product not currently listed in this table is still being evaluated. We will send through an update as the status is confirmed for products and services.

We've used OOTB logging for all our AEM projects and hence effectively, from an AEM perspective we're not really impacted by this CVE. Will keep this thread up-to-date as hear more from Adobe.

Pablo_Childe

Community Advisor

Hi folks:

A question on Analytics patch. Do we need to update any extensions or code locally as such, or is this fully backend patches being applied so I as an end user don`t need to do anything?

thanks

ashin-wilsonAuthor

Hi @pablo_childe ,

If you have overridden log4j2 capabilities of analytics in your code by using any (affected) 2.x version of the library, you will need to upgrade that to 2.16.0 (https://logging.apache.org/log4j/2.x/download.html)

If not, then Adobe has you covered as they claim to have patched the backend services.

I'd strongly recommend to raise a support ticket or get in touch with your Adobe CSM, to advise on the next steps.

Thanks

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded