TLDR;

1. This issue affects most servers as Log4j is used by many software tools on modern servers, as well some versions of Adobe ColdFusion. Lucee CFML is not affected.
2. Action: Patch Log4j in all your server software (not just in older versions of CF)
3. Action: Add the JVM arg -Dlog4j2.formatMsgNoLookups=true to the java.args line in your jvm.config file (may need to update CF first depending on version – details below).

Understanding the Log4j Vulnerability

The log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.

Already many servers have been hit with this Day Zero Attack that was first discovered Friday 12/10/21. Including Apple, Twitter, Steam, Tesla.

So what about your ColdFusion servers?

I am glad to say that both Adobe ColdFusion engineering team and the Lucee teams responded very fast to this issue.

The Adobe team worked over the weekend to review how this exploit affects a vanilla CF2021 and CF2018 install. See below for full details and what to do.

The Lucee team reported that it is not affected by this issue. Details below. Good news for open source CFers!

CF security expert Pete Freitag says “Some versions of ColdFusion (for example early versions of ColdFusion 2018) might include a version of log4j before 2.10.0 and greater than 2.0 which means that JVM arg mitigation doesn’t work, so you would need to update to the latest version first.

Non-CF software

Here is what to do for Apache and other non-CF software that you have on your server

• Search for all Log4j use on your server eg Apache.
• Patch log4j for each of the instances found.
• If you can’t upgrade log4j, you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).

Adobe detailed guidance to fix Log4j vulnerability in CF

The steps below are from this Adobe article.

Note: “ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021.”

ColdFusion (2021 release)

ColdFusion 2021 ships with Log4j versions 2.13.3 and 1.2. The former is impacted by this vulnerability, while the latter is not.

• Stop the server.
• Navigate to the directory <cf_root><Instance_name>bin.
• Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.
• If using any third-party libraries that use Log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If the Log4j2 version (<= 2.10 and >=2.0-beta9)  is found, remove the JndiLookup class from the classpath like below, otherwise skip this step.
  1. If the Operating System is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path: org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number you found in the folder.
  2. If the Operating System is non-windows, then remove the JndiLookup class from the classpath : “zip -q -d log4j-core-2.x.jar  org/apache/logging/log4j/core/lookup/JndiLookup.class”. X is the version number you found in the folder.
• Restart the instance.
• Repeat the procedure for all other instances.

ColdFusion (2018 release)

ColdFusion 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted.

• Stop the server.
• Navigate to the directory <cf_root><Instance_name>bin.
• Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.
• Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed. The new file can be downloaded from here. If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip this step.
  The temporary location must be outside ColdFusion’s classpath.
• If you are using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath as mentioned below, otherwise skip this step:
  1. If the Operating System is Windows, then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number that you found in the folder.
  2. If the Operating Systems is non-Windows, then remove the JndiLookup class from the classpath : “zip -q -d log4j-core-2.x.jar  org/apache/logging/log4j/core/lookup/JndiLookup.class”. X is the version number that you found in the folder.
• Restart the instance and delete log4j-core-2.9.0.jar from the temporary location.
• Repeat the procedure for all other instances.

ColdFusion (2016 release)

ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted. If the installation has any third-party libraries that use Log4j2, follow the steps listed for third party libraries above for version 2018 or 2021.

Performance Monitoring Toolset 2021

Performance Monitoring Toolset 2021 ships with log4j 2.11.1 and log4j 2.3. Both versions are impacted.

• Stop the Performance Monitoring Toolset and datastore services.
• Navigate to the directory <PMT_Home>datastoreconfig.
• Open the file jvm.options, add -Dlog4j2.formatMsgNoLookups=true argument in #log4j2 section. Save the file.
• Navigate to the directory <PMT_Home>lib.
• Move the file log4j-core-2.3.jar to a temporary location.
• Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
• Restart the Performance Monitoring Toolset and datastore services.
  Delete log4j-core-2.3.jar from the temporary location.

Performance Monitoring Toolset 2018

Performance Monitoring Toolset 2018 ships with log4j 2.9.1 and log4j 2.3. Both versions are impacted.

• Stop the Performance Monitoring Toolset and datastore services.
• Navigate to the directory <PMT_Home>datastorelib.
• Move the file log4j-core-2.9.1.jar to a temporary location.
• Copy the patched log4j-core-2.9.1.jar file with JNDILookUp class removed. The file can be downloaded from here.
• Navigate to the directory <PMT_Home>lib.
• Copy the file log4j-core-2.3.jar to a temporary location.
• Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
• Restart the Performance Monitoring Toolset and datastore services.
  Delete log4j-core-2.3.jar and log4j-core-2.9.1.jar from the temporary location.

API Manager 2021, 2018, and 2016

API Manager 2021, 2018, and 2016 ship with log4j 2.3. This version is impacted.

• Stop the API Manager server (<APIM_Home>bin) and Analytics (<APIM_Home>databaseanalyticsbin) service.
• Navigate to the directory <APIM_Home>lib.
• Move the file log4j-core-2.3.jar to a temporary location.
• Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
• Restart the Analytics service and the API Manager server.
  You can now delete log4j-core-2.3.jar from the temporary location.

Lucee CFML is not affected

Lucee CFML ships with log4j 1.2.x which is not listed as an affected version for CVE-2021-44228. Good news for open source CFers!

Once again we see why regular CF updates are important

Log4j did not affect the latest patched versions of CF 2021 or CF 2018. A reminder why it is so important to apply hotfixes regularly. And why you should update to the latest version of ColdFusion regularly!

Here at TeraTech, we use Pete Freitag’s HackMyCF tool to monitor CF servers for old version and other security issues. He also sends out CF security alerts to customers, which is how I first learned of this vulnerability.

Here is Pete’s article on Log4j and CF

Why the Log4j attack is critical

The problem is that “log4j” package is so ubiquitous — it is used with Apache software like Apache Struts, Solr, Druid, along with other technologies Redis, ElasticSearch, and even video games like Minecraft.

Other services affected include:

1. AWS
2. AZURE
3. Broadcom
4. Cisco
5. CPanel
6. ConnectWise
7. Debian
8. Eclipse
9. Elastic
10. F-Secure
11. GitHub
12. Huawei
13. Jenkins
14. JFROG
15. Jitsi
16. Kafka
17. McAfee
18. Solarwinds
19. Netflix
20. Oracle
21. Palo-Alto
22. Pulse Secure
23. RedHat
24. RSA
25. Sophos
26. SonicWall
27. VMware

How are you reacting to this major security issue?

Related articles

• The original report of Log4j security issue by security expert Marcus Hutchins on Friday 12/10/21

• Statement on Log4j security issue by Govt security unit CISA
• Thoughtful article on Log4j and how backwards compatibility on this library might have helped create the issue by David Crawshaw
• General article for the layman on Log4j
• Source for Adobe quote by Mark Takata on Log4j and extensive discussion of the issue by Charlie Arehart, Dave Watts and Adobe staff
• About the log4jshell pandemic, and what CF folks can do about it

Michaela Light is the host of the CF Alive Podcast and has interviewed more than 100 ColdFusion experts. In each interview, she asks “What Would It Take to make CF more alive this year?” The answers still inspire her to continue to write and interview new speakers. Michaela has been programming in ColdFusion for more than 20 years. She founded TeraTech in 1989. The company specializes in ColdFusion application development, security and optimization. She has also founded the CFUnited Conference and runs the annual State of the CF Union Survey.