Adobe Content Server and Log4j Zero Day Vulnerability - CVE-2021-44228 / CVE-2021-45046
Estimated Reading Time: 1 MinutesIn December 2021, a zero day exploit was made public that affected the Log4j logging module. This exploit allows remote code execution where an attacker could execute malicious code on a remote server where it is typically not allowed. This vulnerability was introduced into the Log4j module starting with version 2.0-beta-9 in 2013. The exploit was patched in version 2.15.0. Furthermore, Java 8u121 has mitigation where the avenue for the attack can be closed by disallowing JNDI message lookups.
On December 15, 2021, it was discovered that the fix for CVE-2021-44228 in Log4j 2.15.0 had a defect that resulted in the zero day exploit not being fully patched in certain non-default configurations (CVE-2021-45046). It also meant that the mitigation that was possible in Java 8u121 was ineffective (log4j2.noFormatMsgLookup=true). Log4j 2.16.0 has been issued and fully patches the zero day exploit. It is now recommend to skip version 2.15.0 and upgrade to Log4j 2.16.0 where possible.
Adobe Content Server does use the Log4j module, however, it uses Log4j version 1.2.12. This earlier version of Log4j predates the versions impacted and does not contain JNDI functionality. As a result, ACS is not affected by the Log4j zero day exploit; no changes to the package are required and no mitigation is needed.
Additional Sources:
CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
https://logging.apache.org/log4j/2.x/security.html
CVE-2021-45046