Expand my Community achievements bar.

Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Avatar

Level 2

Hello fellow members,

 

This new Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) was reported yesterday (read more).

We're on AEM 6.5 and understand that AEM uses a minimalist version of log4j over slf4j. I'd appreciate any inputs from this community to understand if this vulnerability affects sites/services hosted in AEM via. its OOTB logging capability. If so what are the corrective measures to overcome this.

 

Thanks

Ashin

30 Replies

Avatar

Level 2

Could you please keep us updated here? 
As you already mentioned the AEM 6.5.x uses affected versions of Log4j.

Avatar

Level 2

To be specific this version of AEM Forms JEE is not the standard offering. This is deployed on Jboss as WAR file and quite different from the AEM WCM.OSGI stack everyone here is aware of.

This was a replacement of Livecycle application used to design and deploy Forms and not for designing websites i.e, its a forms management system not a web content management system.

So I hope you understand AEM 6.5.x is not same as AEM Forms on JEE 6.5.x.

If you are using the usual AEM OSGI WCM for designing websites and so on, the advice from @cparkers_Adobe , should be applicable and hence not vulnerable.

Avatar

Level 2

Hi razzd31, 

I am also talking about Adobe Experience Manager (AEM) Forms and was not aware that there is also another product which is called similar. Our Adobe AEM Forms is in version 6.5.0 and this contains log4j in version 2.10.0 and 2.11.0 

Avatar

Level 2

Good to have confirmation. We are in the same boat. 

Anyways I had already opened another thread so folks around here don't get confused.

 

You can check this thread and comment on the thread so Adobe is aware. The response there also states that they are still investigating.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager-forms/aem-forms-jee-apache...

 

Avatar

Level 2

Thanks everyone for contributing towards this post. Adobe's premier support tells us (in green) that:

 

The below chart has been updated with Experience Manager (AEM) and Campaign status.

 

Product

Status

Analytics

Patched

Audience Manager

Patched

Target

Unaffected

Adobe Campaign Classic (hosted)

Unaffected

Adobe Experience Manager (v6.5, on premise)

Unaffected

 

Any product not currently listed in this table is still being evaluated. We will send through an update as the status is confirmed for products and services.

 

We've used OOTB logging for all our AEM projects and hence effectively, from an AEM perspective we're not really impacted by this CVE. Will keep this thread up-to-date as hear more from Adobe.

Avatar

Community Advisor

Hi folks:

 

A question on Analytics patch. Do we need to update any extensions or code locally as such, or is this fully backend patches being applied so I as an end user don`t need to do anything?

 

thanks

Avatar

Level 2

Hi @Pablo_Childe ,

 

If you have overridden log4j2 capabilities of analytics in your code by using any (affected) 2.x version of the library, you will need to upgrade that to 2.16.0 (https://logging.apache.org/log4j/2.x/download.html)

If not, then Adobe has you covered as they claim to have patched the backend services.

I'd strongly recommend to raise a support ticket or get in touch with your Adobe CSM, to advise on the next steps.

 

Thanks

 

Avatar

Level 2

Where is this information posted. is there any bulleting or news from adobe directly which I can see on log4j issue (esp for AEM related). 

Avatar

Level 2

Hello @ssatwork

This information is from the Adobe support ticket that we raised. I recommend you reaching out to your Adobe's success manager for more specific queries.

 

Thanks