CVE-2021-44228 / Log4Shell Explained
On December 9th, a zero-day remote code vulnerability was revealed in Apache’s Log4J, a very common logging system used by developers of web and server applications based on Java and other programming languages. The vulnerability affects a broad range of services and applications on servers, like ColdFusion and Solr, making it extremely dangerous—and the latest updates for those server applications urgent.
Who Is Impacted
Many companies and organizations worldwide were vulnerable to the exploit when it was revealed. This means any application or server utilizing
2.0-beta9 <= Apache log4j <= 2.14.1 that's not been patched, is vulnerable.
The latest versions of ColdFusion 2018 and ColdFusion 2021 ship with Log4J 2.13.3, making them vulnerable.
What We've Done
Upon learning about the zero-day Log4J vulnerability on December 9th, we immediately began auditing our infrastructure for the vulnerability. On the same day, we were able to complete patching all of our Shared Servers to mitigate the vulnerability. In addition to this, we're also blocking common ports we've witnessed the log4j vulnerability to be targeting.
For our ColdFusion 2018 and 2021 VPS customers, we've added the following argument to your ColdFusion Services jvm.config. This will ensure that your log4j library cannot be exploited via the Log4Shell vulnerability.
jvm.config argument: -Dlog4j2.formatMsgNoLookups=true
A backup of the jvm.config can be found in the ColdFusion "bin" directory with the name "jvm.configLog4JBAK".
In order for your server to mitigate the vulnerability with this jvm.config change, you'll need to restart the ColdFusion Services on your VPS. You may find documentation on how to do this via the below button.