Adobe has published a KB article on, and on released ColdFusion 2021 Update 3, and ColdFusion 2018 Update 13 to address CVE-2021-44228 and CVE-2021-45046 by updating log4j to version 2.16.0. I notified the Adobe Product Security Incident Response Team (PSIRT) early Friday () morning of the issue. FuseGuard a WAF written in CFML has added a Log4ShellFilter in version 3.4.0Īdobe ColdFusion 20 include potentially vulnerable versions of log4j2. Many if not all WAF patterns could be evaded, but they can still block many attempts (defense in depth). However you should never treat a WAF as a 100% solution. Many Web Application Firewalls (WAF) provide detection / blocking of Log4Shell attack patterns.If you cannot use the jvm arg because you have log4j2 2.0 - 2.10.0 and for some reason cannot update to version 2.17.0 then it should be safe remove the offending JndiLookup.class class file from the jar. You may still have DOS issues to consider with this approach. This could also be done at the jvm level using a java security policy or sandbox security in ColdFusion. This might be tricky depending on your requirements, but if the server cannot make a network request to the internet, this has a big impact on the severity of this.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |