![]() However you should never treat a WAF as a 100% solution. Many Web Application Firewalls (WAF) provide detection / blocking of Log4Shell attack patterns.If you cannot use the jvm arg because you have log4j2 2.0 - 2.10.0 and for some reason cannot update to version 2.17.0 then it should be safe remove the offending JndiLookup.class class file from the jar.You may still have DOS issues to consider with this approach. ![]() ![]() This could also be done at the jvm level using a java security policy or sandbox security in ColdFusion. This might be tricky depending on your requirements, but if the server cannot make a network request to the internet, this has a big impact on the severity of this. Use your network firewall to ensure that no egress internet traffic leaves the server.All of the above require restarting the java process (restart ColdFusion or Lucee).Ī few additional mitigations that you can consider:.According to Microsoft's Response to this issue, you can set an environment variable instead of the JVM argument: LOG4J_FORMAT_MSG_NO_LOOKUPS=true - incomplete for CVE-2021-45046, CVE-2021-45105, CVE-2021-44832.Add JVM arg: -Dlog4j2.formatMsgNoLookups=true (only works on log4j 2.10.0 and up).Here's a list of possible mitigations, initially sourced from LunaSec's blog: 2.17.1 was released to address this issue. Log4j versions 2.17.0 and below are vulnerable to a RCE when the attacker can modify the log4j configuration. Fixed in 2.16.0Ī Denial of Service (DOS) issue in 2.16.0 and below, fixed in 2.17.0 Version 2.16.0 was released.Īnother issue was found in 2.15.0, a more serious / critical RCE. It appears that the fix in 2.15.0 and the JVM mitigation was incomplete. Here's the jira issue for when the JNDI lookup feature was added in 2.0-beta9: LOG4J2-313 Versions Affected: all versions from 2.0-beta9 to 2.14.1. What versions of log4j are vulnerable to CVE-2021-44228? Lucee has released version 5.3.9.133 with Log4j 2.17.2, earlier versions used log4j 1.x. TLDR: Adobe ColdFusion users should upgrade to either ColdFusion 2018 update 14 or ColdFusion 2021 Update 4 (both now use log4j version 2.17.2). Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. It is included in both Adobe ColdFusion and Lucee for example. There is a critical security vulnerability ( CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |