Hello fellow members,
This new Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) was reported yesterday (read more).
We're on AEM 6.5 and understand that AEM uses a minimalist version of log4j over slf4j. I'd appreciate any inputs from this community to understand if this vulnerability affects sites/services hosted in AEM via. its OOTB logging capability. If so what are the corrective measures to overcome this.
Thanks
Ashin
If you look at /system/console/bundles, there is a SLF4J over LOG4J bundle in there and Log4J version 1.2.17. Currently, the issues seem to affect log4j 2.x.. it is unclear if 1.2.17 has any vulnerability. I submitted a P1 critical issue to Adobe to see what they have to say.
Here is Adobe's response on the issue. They need time to figure out if log4j 1.2.17 that is inside AEM is affected by this security flaw.
[Q1] Is Adobe aware of this Apache log4j library vulnerability?
[Adobe] Yes. Adobe is aware of this Apache log4j library vulnerability.
[Q2] Does Adobe use the Apache log4j library impacted by this issue?
[Adobe] Yes. This library is widely used in many applications and services across the industry, including Adobe.
[Q3] Is my data impacted?
[Adobe] The investigation is ongoing.
[Q4] What is Adobe doing to address the vulnerability?
[Adobe] Adobe is investigating potential impact and is taking action including updating affected systems to the latest versions of Apache log4j recommended by the Apache Software Foundation.
[Q5] How is Adobe addressing this vulnerability with its vendors/suppliers/partners?
[Adobe] Adobe is reaching out to our vendors to determine potential impact now.
[Q6]Is there anything customers need to do to help protect themselves against this issue?
[Adobe] OOTB AEM ships with log4j v1.2.17 and CVE-2021-44228 seems to impact Apache Log4j 2 i.e. versions 2.0 to 2.14.1 To be absolutely sure, our engineering teams are testing if CVE-2021-44228 impacts any version of AEM. Once we have completed our investigation we will be updating you further. In the meantime, please ask your internal teams to check if they have used Apache Log4j 2 i.e. versions 2.0 to 2.14.1 in their custom projects inside AEM. If you are using Apache Log4j 2 i.e. versions 2.0 to 2.14.1 in your project then please work on it to rectify it asap.
Thanks jimmyc6767014 for sharing this. We'll need to wait to hear back from Adobe, I guess.
Hi,
Do we have any update from Adobe?
Hi,
Do we have update from Adobe?
No updates as of 12/12/2021 10.00am PST.
Do we have any update / ETA from the Adobe Team?
thanks for posting this.
Where did you see this response from Adobe? - as on the Adobe security center, https://helpx.adobe.com/security/Home.html
there is no update on CVE-2021-44228 and no updates since Nov 9th.
thanks
All:
All versions of Adobe Experience Manager have been confirmed as "unaffected" by the log4j issue. Please reach out to your customer success manager (CSM) or account team for more information.
Regards,
Chris Parkerson
Adobe Security Team
@cparkers_Adobe Great news, does this cover related products Marketo and Bizible as well?
I can confirm that Marketo Engage has been "patched" and Bizible is "unaffected." Please reach out to your CSM/account team for any additional information on these or other products.
Thank you,
Chris Parkerson
Adobe Security Team
I can confirm that Analytics is "patched," Adobe Audience Manager is "patched," and Adobe Target is "unaffected." "Unaffected" means the product/service does not use the log4j library.
Regards,
Chris Parkerson
Adobe Security Team
Can you confirm if Launch Tag Extensions and Adobe.io stays Unaffected?
Thanks.
Could you please provide the patch version applied for Marketo? Our security team is asking for this info. Thank you!
As I understand it, Revenue Cycle Explorer is separate from Marketo.
Can you confirm the status of RCE please?
The AEM Forms on JEE 6.5.8 uses the log4j 2.10, 2.11.1 versions. These versions are affected by this vulnerability. Could you please confirm the same.
I have already opened a ticket on the Daycare site but haven't had any response yet.
did someone from Adobe responds on that question
Thank you Chris.
Could you please confirm if AEM 6.3 is impacted with this log4j vuln? If yes, what are the guidelines from Adobe?
The AEM Forms on JEE 6.5.8 uses the log4j 2.10, 2.11.1 versions. These versions are affected by this vulnerability. Could anyone else using it please confirm the same.
There may be a temporary workaround to add "‐Dlog4j2.formatMsgNoLookups=true" but not a complete fix.
I have already opened a ticket on the Daycare site but haven't had any response yet.
Views
Likes
Replies