FusionReactor Observability & APM

Troubleshoot

Blog / Info

Customers

About Us

Installation

Configure

Troubleshoot

Blog / Info

Customers

About Us

Log4j vulnerability Important information for ColdFusion, Lucee, and Java users 

Log4j vulnerability

Log4j CVE-2021-44228 and CVE-2021-45046 Log4 Shell vulnerability Important information for ColdFusion, Lucee, and Java users 

Updated December 16, 2021

Does FusionReactor need updating to fix the vulnerability?

The FusionReactor agent does not depend on or utilize Log4j, so is not susceptible to this vulnerability. In order to protect you and your clients, you must ensure that any other framework, library, or component you are using is updated.

Is FusionReactor protected?

All FusionReactor SaaS (Cloud) services that use Log4j have been updated to protect against this issue.

What are the Log4J vulnerabilities?

Log4j problems were first observed in the game Minecraft, but it quickly became apparent that their impact was far greater. There are millions of web applications that use the software, including Apple’s iCloud. Attacks exploiting the bug, known as Log4Shell attacks have been happening in the wild since 9 December, says Crowstrike.

Log4j, which is used by millions of web servers, has been found to contain a critical security flaw. They are vulnerable to attack due to the bug, and teams around the world are trying to patch them before hackers gain access to them. “The internet’s on fire right now,” said Adam Meyers at security company Crowdstrike.

It was discovered on December 13th that Apache Log4j 2.15.0 had an incomplete fix for CVE-2021-44228 in non-default configurations. This allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.

Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Read more: https://logging.apache.org/log4j/2.x/security.html

How to protect yourself

Updated December 16, 2021

On December 13, 2021, Apache released Log4j version 2.16.0 in a security update to address a second vulnerability; CVE-2021-45046.

Note: affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046.

On December 10, 2021, the Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j, a logging tool used in almost every Java application. The issue has been named Log4Shell and received the identifier CVE-2021-44228.

An attacker can execute arbitrary code on a system that uses Log4j to write log messages by exploiting a bug in the Log4j library. The security vulnerability in Log4j has a broad impact and should be addressed by anyone who uses Log4j in their application.

This is really important for ColdFusion, Lucee, and Java users 

Everyone using CF, Lucee, or Java should check to make sure they’re safe. This issue can affect you and any clients using your code.

Log4J vulnerability in Adobe ColdFusion

Log4j vulnerabilityIn the Adobe blog, Log4j vulnerability on ColdFusion which was published on December 15th, 2021, Adobe confirmed that Coldfusion has been affected by the Log4J vulnerability

Adobe report that it is investigating potential impacts and taking action to update affected systems to the latest Apache Log4j versions recommended by the Apache Software Foundation.

ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021.

Urgent actions if you are using ColdFusion or PMT

To address the Log4j vulnerability in ColdFusion, Adobe recommends all ColdFusion users should immediately follow the workarounds/mitigations outlined in its post.

Read the Adobe ColdFusion recommendations in full