<@U01EY27APNH> The CVE linked on the <Adobe securi...
# adobeb
bdw429s
05/10/2022, 6:05 PM@Mark Takata (Adobe) The CVE linked on the Adobe security bulletin appears to point to a DJango CVE (A Python library). Can you explain?
https://nvd.nist.gov/vuln/detail/CVE-2022-22818
bdw429s
05/10/2022, 6:05 PMNote, that wasn't directly linked to, I just googled the CVE number
m
Mark Takata (Adobe)
05/10/2022, 6:07 PM@saghosh can you take a look here? Thanks for the heads up Brad.
a
Adam Cameron
05/10/2022, 6:23 PM
@bdw429s yeah I did wonder about that. You had more luck finding a useful link for
CVE-2022-22818d
Dave Merrill
05/10/2022, 6:45 PMI think the punch line of that (ignorant me talking here) is this: https://cwe.mitre.org/data/definitions/79.html
That's a generic concern about incoming request data getting echoed back to the page.
b
bdw429s
05/10/2022, 7:22 PMCSS CVEs in CF usually are for the admin UI or for something like the CKEditor/CFAjax which are features that output HTML/JS to the client.
👍 1
bdw429s
05/10/2022, 7:23 PMAt first, I assumed this update was finally the removal of log4j 1.x (which Lucee has now released in their recent 5.3.9 stable version)
bdw429s
05/10/2022, 8:28 PMOh weird, this update does include log4j. It says that here
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-4.html
but this page mentions nothing about it which is what I read first
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-updates.html
bdw429s
05/10/2022, 8:29 PM@saghosh Maybe you can mention the Log4j and Tomcat updates in that second link
m
Mark Takata (Adobe)
05/10/2022, 9:22 PMI'm seeing that some folks are still seeing some log4j 1.x files though so I'm not sure what's up regarding that...
b
bdw429s
05/10/2022, 9:38 PMHopefully, if they are truly no longer in use, the fix will be to just manually remove them for now
bdw429s
05/11/2022, 11:04 PMI can confirm that deleting the Log4j 1.x jars from ACF 2018 renders the server unbootable
bdw429s
05/11/2022, 11:04 PMIt does appear they are still in use
bdw429s
05/11/2022, 11:04 PM Copy code
Error [main] - Unable to initialise Security service: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
Information [main] - Unable to initialise CFStartupServlet:org/apache/log4j/Logger
[ERROR] coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available.a
Adam Cameron
05/11/2022, 11:08 PM
Yeah but Brad the server is not vulnerable any more mate. Mark did say this was just a security update.
b
bdw429s
05/11/2022, 11:09 PMI honestly can't tell if you're just being sarcastic or not...
😜 1
bdw429s
05/11/2022, 11:09 PMThe technote says log4j has been updated to version 2.17.2. So if that's not true, let's at least change the documentation so it matches reality.
bdw429s
05/11/2022, 11:10 PMI'm well aware of the existing mitigation Adobe has already done to the Log4j 1.x jars. I'm also well aware of my several government clients who don't care about that 🙂
m
Mark Takata (Adobe)
05/11/2022, 11:55 PMEscalating this.
Also, I always assume Adam is taking the piss basically in any post he does that mentions me. Keeps me from getting my feelings hurt. 😉
✅ 1
b
bdw429s
05/12/2022, 12:09 AMThanks for checking on it 👍
a
Adam Cameron
05/12/2022, 6:36 AM
#poesLaw
🙂 1
✅ 1
7 Views