<@U01EY27APNH> The CVE linked on the <Adobe securi...
# adobe
b
@Mark Takata (Adobe) The CVE linked on the Adobe security bulletin appears to point to a DJango CVE (A Python library). Can you explain? https://nvd.nist.gov/vuln/detail/CVE-2022-22818
Note, that wasn't directly linked to, I just googled the CVE number
m
@saghosh can you take a look here? Thanks for the heads up Brad.
a
@bdw429s yeah I did wonder about that. You had more luck finding a useful link for
CVE-2022-22818
than I did.
d
I think the punch line of that (ignorant me talking here) is this: https://cwe.mitre.org/data/definitions/79.html That's a generic concern about incoming request data getting echoed back to the page.
b
CSS CVEs in CF usually are for the admin UI or for something like the CKEditor/CFAjax which are features that output HTML/JS to the client.
👍 1
At first, I assumed this update was finally the removal of log4j 1.x (which Lucee has now released in their recent 5.3.9 stable version)
Oh weird, this update does include log4j. It says that here https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-4.html but this page mentions nothing about it which is what I read first https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-updates.html
@saghosh Maybe you can mention the Log4j and Tomcat updates in that second link
m
I'm seeing that some folks are still seeing some log4j 1.x files though so I'm not sure what's up regarding that...
b
Hopefully, if they are truly no longer in use, the fix will be to just manually remove them for now
I can confirm that deleting the Log4j 1.x jars from ACF 2018 renders the server unbootable
It does appear they are still in use
Copy code
Error [main] - Unable to initialise Security service: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
Information [main] - Unable to initialise CFStartupServlet:org/apache/log4j/Logger
[ERROR] coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available.
a
Yeah but Brad the server is not vulnerable any more mate. Mark did say this was just a security update.
b
I honestly can't tell if you're just being sarcastic or not...
😜 1
The technote says log4j has been updated to version 2.17.2. So if that's not true, let's at least change the documentation so it matches reality.
I'm well aware of the existing mitigation Adobe has already done to the Log4j 1.x jars. I'm also well aware of my several government clients who don't care about that 🙂
m
Escalating this. Also, I always assume Adam is taking the piss basically in any post he does that mentions me. Keeps me from getting my feelings hurt. 😉
1
b
Thanks for checking on it 👍
a
#poesLaw
🙂 1
1