Adobe Experience Manager Sites & More

ashin-wilson · 12/11/21

Hello fellow members,

This new Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) was reported yesterday (read more).

We're on AEM 6.5 and understand that AEM uses a minimalist version of log4j over slf4j. I'd appreciate any inputs from this community to understand if this vulnerability affects sites/services hosted in AEM via. its OOTB logging capability. If so what are the corrective measures to overcome this.

Thanks

Ashin

flyaround · 12/13/21

Could you please keep us updated here?
As you already mentioned the AEM 6.5.x uses affected versions of Log4j.

razzd31 · 12/13/21

To be specific this version of AEM Forms JEE is not the standard offering. This is deployed on Jboss as WAR file and quite different from the AEM WCM.OSGI stack everyone here is aware of.

This was a replacement of Livecycle application used to design and deploy Forms and not for designing websites i.e, its a forms management system not a web content management system.

So I hope you understand AEM 6.5.x is not same as AEM Forms on JEE 6.5.x.

If you are using the usual AEM OSGI WCM for designing websites and so on, the advice from @cparkers_Adobe , should be applicable and hence not vulnerable.

flyaround · 12/13/21

Hi razzd31,

I am also talking about Adobe Experience Manager (AEM) Forms and was not aware that there is also another product which is called similar. Our Adobe AEM Forms is in version 6.5.0 and this contains log4j in version 2.10.0 and 2.11.0

razzd31 · 12/13/21

Good to have confirmation. We are in the same boat.

Anyways I had already opened another thread so folks around here don't get confused.

You can check this thread and comment on the thread so Adobe is aware. The response there also states that they are still investigating.

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager-forms/aem-forms-jee-apache...

ashin-wilson · 12/13/21

Thanks everyone for contributing towards this post. Adobe's premier support tells us (in green) that:

The below chart has been updated with Experience Manager (AEM) and Campaign status.

Product	Status
Analytics	Patched
Audience Manager	Patched
Target	Unaffected
Adobe Campaign Classic (hosted)	Unaffected
Adobe Experience Manager (v6.5, on premise)	Unaffected

Any product not currently listed in this table is still being evaluated. We will send through an update as the status is confirmed for products and services.

We've used OOTB logging for all our AEM projects and hence effectively, from an AEM perspective we're not really impacted by this CVE. Will keep this thread up-to-date as hear more from Adobe.

Pablo_Childe · 12/13/21

Hi folks:

A question on Analytics patch. Do we need to update any extensions or code locally as such, or is this fully backend patches being applied so I as an end user don`t need to do anything?

thanks

ashin-wilson · 12/14/21

Hi @Pablo_Childe ,

If you have overridden log4j2 capabilities of analytics in your code by using any (affected) 2.x version of the library, you will need to upgrade that to 2.16.0 (https://logging.apache.org/log4j/2.x/download.html)

If not, then Adobe has you covered as they claim to have patched the backend services.

I'd strongly recommend to raise a support ticket or get in touch with your Adobe CSM, to advise on the next steps.

Thanks

ssatwork · 12/14/21

Where is this information posted. is there any bulleting or news from adobe directly which I can see on log4j issue (esp for AEM related).

ashin-wilson · 12/14/21

Hello @ssatwork,

This information is from the Adobe support ticket that we raised. I recommend you reaching out to your Adobe's success manager for more specific queries.

Thanks

Pablo_Childe · 12/15/21

Thanks for your reply.

Adobe Experience Manager Sites & More

Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe