http://coldfusion.com logo
#adobe
Title
# adobe
b

bdw429s

05/10/2022, 6:05 PM
@Mark Takata (Adobe) The CVE linked on the Adobe security bulletin appears to point to a DJango CVE (A Python library). Can you explain? https://nvd.nist.gov/vuln/detail/CVE-2022-22818
Note, that wasn't directly linked to, I just googled the CVE number
m

Mark Takata (Adobe)

05/10/2022, 6:07 PM
@saghosh can you take a look here? Thanks for the heads up Brad.
a

Adam Cameron

05/10/2022, 6:23 PM
@bdw429s yeah I did wonder about that. You had more luck finding a useful link for
CVE-2022-22818
than I did.
d

Dave Merrill

05/10/2022, 6:45 PM
I think the punch line of that (ignorant me talking here) is this: https://cwe.mitre.org/data/definitions/79.html That's a generic concern about incoming request data getting echoed back to the page.
b

bdw429s

05/10/2022, 7:22 PM
CSS CVEs in CF usually are for the admin UI or for something like the CKEditor/CFAjax which are features that output HTML/JS to the client.
👍 1
At first, I assumed this update was finally the removal of log4j 1.x (which Lucee has now released in their recent 5.3.9 stable version)
Oh weird, this update does include log4j. It says that here https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-4.html but this page mentions nothing about it which is what I read first https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-updates.html
@saghosh Maybe you can mention the Log4j and Tomcat updates in that second link
m

Mark Takata (Adobe)

05/10/2022, 9:22 PM
I'm seeing that some folks are still seeing some log4j 1.x files though so I'm not sure what's up regarding that...
b

bdw429s

05/10/2022, 9:38 PM
Hopefully, if they are truly no longer in use, the fix will be to just manually remove them for now
I can confirm that deleting the Log4j 1.x jars from ACF 2018 renders the server unbootable
It does appear they are still in use
Copy code
Error [main] - Unable to initialise Security service: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
Information [main] - Unable to initialise CFStartupServlet:org/apache/log4j/Logger
[ERROR] coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available.
a

Adam Cameron

05/11/2022, 11:08 PM
Yeah but Brad the server is not vulnerable any more mate. Mark did say this was just a security update.
b

bdw429s

05/11/2022, 11:09 PM
I honestly can't tell if you're just being sarcastic or not...
😜 1
The technote says log4j has been updated to version 2.17.2. So if that's not true, let's at least change the documentation so it matches reality.
I'm well aware of the existing mitigation Adobe has already done to the Log4j 1.x jars. I'm also well aware of my several government clients who don't care about that 🙂
m

Mark Takata (Adobe)

05/11/2022, 11:55 PM
Escalating this. Also, I always assume Adam is taking the piss basically in any post he does that mentions me. Keeps me from getting my feelings hurt. 😉
1
b

bdw429s

05/12/2022, 12:09 AM
Thanks for checking on it 👍
a

Adam Cameron

05/12/2022, 6:36 AM
#poesLaw
🙂 1
1
7 Views