This issue can affect you and any clients using your code.Necessary cookies are absolutely essential for the website to function properly. This is really important for ColdFusion, Lucee, and Java usersĮveryone using CF, Lucee, or Java should check to make sure they’re safe.
The security vulnerability in Log4j has a broad impact and should be addressed by anyone who uses Log4j in their application. Īn attacker can execute arbitrary code on a system that uses Log4j to write log messages by exploiting a bug in the Log4j library. The issue has been named Log4Shell and received the identifier CVE-2021-44228.
ADOBE COLDFUSION BLOG UPDATE
On December 10, 2021, the Apache Foundation released an emergency update for a critical zero-day vulnerability in Log4j, a logging tool used in almost every Java application. Note: affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j 2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046. On December 13, 2021, Apache released Log4j version 2.16.0 in a security update to address a second vulnerability CVE-2021-45046.
ADOBE COLDFUSION BLOG HOW TO
How to protect yourself Updated December 16, 2021 Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. This allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $$) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. It was discovered on December 13th that Apache Log4j 2.15.0 had an incomplete fix for CVE-2021-44228 in non-default configurations. “The internet’s on fire right now,” said Adam Meyers at security company Crowdstrike.
ADOBE COLDFUSION BLOG PATCH
They are vulnerable to attack due to the bug, and teams around the world are trying to patch them before hackers gain access to them. Log4j, which is used by millions of web servers, has been found to contain a critical security flaw. Attacks exploiting the bug, known as Log4Shell attacks have been happening in the wild since 9 December, says Crowstrike. There are millions of web applications that use the software, including Apple’s iCloud. Log4j problems were first observed in the game Minecraft, but it quickly became apparent that their impact was far greater. Is FusionReactor protected?Īll FusionReactor SaaS (Cloud) services that use Log4j have been updated to protect against this issue. In order to protect you and your clients, you must ensure that any other framework, library, or component you are using is updated.
The FusionReactor agent does not depend on or utilize Log4j, so is not susceptible to this vulnerability. Updated DecemDoes FusionReactor need updating to fix the vulnerability? Log4j CVE-2021-44228 and CVE-2021-45046 Log4 Shell vulnerability Important information for ColdFusion, Lucee, and Java users