Expand my Community achievements bar.

SOLVED

Is Creative Cloud vulnerable to the Apache Log4j utility (CVE-2021-44228) zero-day exploit

Avatar

Level 1

Could someone on this forum please confirm if this is the case or not? I cannot find any official response from Adobe specifically related to CC. Our IT department will not allow us use these products until we have a verified position from the supplier.

 

Log4j vulnerability and Adobe CC - Adobe Support Community - 12592734

Apache Log4j Remote Code Execution Vulnerability (... - Adobe Experience League Community - 434261

Solved: Coldfusion and the Java CVE-2012-1723 vulnerabilit... - Adobe Support Community - 4329534

1 Accepted Solution

Avatar

Correct answer by
Level 4

If you want to know more about this log4j vulnerability here it is..!

What is log4j Vulnerability.?

The vulnerability is dubbed as Log4Shell and it is officially know as CVE-2021-44228 (CVE number is the unique number given to each vulnerability discovered across the world).

what Log4j is used for.?

Software developers use the Log4j framework to record user activity and the behavior of applications for subsequent review. Distributed free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications.

When did this came into picture.?

The vulnerability first came to light on December 9, though some reports say the issue first surfaced on December 1, and was highlighted by Alibaba Cloud Security team’s Chen Zhaojun. 

How it can impact.?

The problem impacts Log4j 2 versions which is a very common logging library used by applications across the world. Logging lets developers see all the activity of an application. Tech companies such as Apple, Microsoft, Google all rely on this open-source library, as do enterprise applications from Cisco, Netapp, CloudFare, Amazon and others.

 

The open-source Apache Log4j library has over 400,000 downloads from its Github project, according to cybersecurity firm Check Point.

How hackers can make use of it.?

The vulnerability is serious because exploiting it could allow hackers to control java-based web servers and launch what are called ‘remote code execution’ (RCE) attacks. In simple words, the vulnerability could allow a hacker to

  • execute code remotely on a target computer, meaning that they can steal data,
  • install malware or take control. (such as a payload)
  • Some cybercriminals have installed software that uses a hacked system to mine cryptocurrency.
  • while others have developed malware that allows attackers to hijack computers for large-scale assaults on internet infrastructure.

 

According to cybersecurity firm LunaSec, what makes the problem so serious is that this library is “ubiquitous” across applications and the exploit gives full server control and it is easy to execute. It is rating this vulnerability as quite severe. 10/10(highest rating)

Check Point notes that the flaw “can be exploited either over HTTP or HTTPS (the encrypted version of browsing),” which adds to the problems.

If your organization uses log4j version <2.0 then they might also upgrade to 2.15rc2, which is released yesterday and they have released 1.16 today.

the problem here is AEM comes with log4j as default.

hit validate if I answered your question.

thanks @Bryski 

View solution in original post

3 Replies

Avatar

Level 4

Hi @Bryski 

as per the information provided by our company, Adobe is working on it to fix the issue and even released a new (Replic APM) version to overcome the issue.

I guess your organization is trying change the version of it and do a production build so that is the reason they are telling you to stop using it for sometime.

while they fix the issue by updating the existing Log4j. and do a build for Stage, and Prod.

kindly ignore if my answer doesn't sound valid.

Avatar

Level 1

Thanks @Pavan_Kalyan we don't manage our CC products in house, just via the standard Adobe console. Does that make a difference. 

 

I haven't seen the information from Adobe you're referring to. Is it this page: Adobe PSIRT ?

 

Please excuse my ignorance, I'm a designer not developer.

Avatar

Correct answer by
Level 4

If you want to know more about this log4j vulnerability here it is..!

What is log4j Vulnerability.?

The vulnerability is dubbed as Log4Shell and it is officially know as CVE-2021-44228 (CVE number is the unique number given to each vulnerability discovered across the world).

what Log4j is used for.?

Software developers use the Log4j framework to record user activity and the behavior of applications for subsequent review. Distributed free by the nonprofit Apache Software Foundation, Log4j has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, websites and applications.

When did this came into picture.?

The vulnerability first came to light on December 9, though some reports say the issue first surfaced on December 1, and was highlighted by Alibaba Cloud Security team’s Chen Zhaojun. 

How it can impact.?

The problem impacts Log4j 2 versions which is a very common logging library used by applications across the world. Logging lets developers see all the activity of an application. Tech companies such as Apple, Microsoft, Google all rely on this open-source library, as do enterprise applications from Cisco, Netapp, CloudFare, Amazon and others.

 

The open-source Apache Log4j library has over 400,000 downloads from its Github project, according to cybersecurity firm Check Point.

How hackers can make use of it.?

The vulnerability is serious because exploiting it could allow hackers to control java-based web servers and launch what are called ‘remote code execution’ (RCE) attacks. In simple words, the vulnerability could allow a hacker to

  • execute code remotely on a target computer, meaning that they can steal data,
  • install malware or take control. (such as a payload)
  • Some cybercriminals have installed software that uses a hacked system to mine cryptocurrency.
  • while others have developed malware that allows attackers to hijack computers for large-scale assaults on internet infrastructure.

 

According to cybersecurity firm LunaSec, what makes the problem so serious is that this library is “ubiquitous” across applications and the exploit gives full server control and it is easy to execute. It is rating this vulnerability as quite severe. 10/10(highest rating)

Check Point notes that the flaw “can be exploited either over HTTP or HTTPS (the encrypted version of browsing),” which adds to the problems.

If your organization uses log4j version <2.0 then they might also upgrade to 2.15rc2, which is released yesterday and they have released 1.16 today.

the problem here is AEM comes with log4j as default.

hit validate if I answered your question.

thanks @Bryski