Vulnerability in Java library Log4j - to what extent is AEM affected?
On December 9, the security vulnerability CVE-2021-4428: Analysis and Mitigations in the Apache log4J library was published on the Palo Alto Networks website. Since this library is used in most Java server applications, the German Federal Office for Information Security (BSI) ranked this vulnerability at the highest possible value of CVSS scale 10 and declared the highest warning level Red. These warnings also alarmed my colleagues over the weekend and prompted them to do some research. In this blog article, I will summarize the findings so far and explain to what extent Adobe Experience Manager (AEM) and applications based on it are affected and what could be possible first steps to reduce the risk.
Right at the beginning, the good news: Chris Parkerson from the Adobe Security Team writes in the Adobe Experience League forum that all AEM versions are not affected by the vulnerability. However, according to their own research, this apparently only applies to the OSGi versions. AEM Forms JEE seems to use the affected libraries at least in versions 6.4.x and also in the current 6.5.11 version.
The Apache underlying the AEM Dispatcher is also not affected by the vulnerability, as it is not implemented with Java.
Further, at this time, we cannot identify any threats to the following open source software products that we use in many projects:
- Adobe ACS Commons (https://github.com/Adobe-Consulting-Services/acs-aem-commons/security/advisories)
- WCM.io CA-Config (https://github.com/wcm-io/wcm-io-caconfig/security/advisories)
At eggs unimedia, we predominantly use the more modern slf4j logging framework (which is not affected by the vulnerability). However, we may rely on the logging framework provided by the application server, which in the case of AEM Forms JEE could be based on log4j and thus represent an attack vector. In this respect, we can only recommend to pay attention to corresponding publications of the server manufacturers.
For further information please contact your project team at eggs or Martin Brösamle. We will continue to monitor the situation and update the article with new findings.
Adobe Security Bulletin APSB21-103 for AEM, released on 12/14/2021, does not provide an improvement to the CVE-2021-4428: Analysis and Mitigations vulnerability in the Apache log4J library, according to Adobe documentation. However, the update should still be installed as it provides protection against several other attack vectors.
[Update 2, 15/12/2021]
Adobe has confirmed the vulnerability in AEM Forms JEE 6.3, 6.4 and 6.5: Mitigating Log4j2 vulnerability (CVE-2021-44228) for Experience Manager Forms. In the same article, Adobe recommends steps to mitigate the risk. The method recommended by Adobe is the absolutely most secure, but in our eyes also technically challenging.
[Update 3, 12/20/2021]
In the meantime, it has become apparent that the measures we originally recommended only protect against part of the attack vectors. We therefore strongly recommend removing the vulnerable classes from the log4j library, as suggested by Adobe in the Mitigating Log4j2 vulnerabilities (CVE-2021-44228 and CVE-2021-45046) for Experience Manager Forms post (adobe.com).
[Update 4, 12/21/2021] (THESE MEASSURES REPLACE THE RECOMMENDATIONS IN UPDATES 1-3)
Adobe has released Add-On Package 220.127.116.11 which, among other things, fixes the security vulnerability in the log4J library. Our recommendation is to install the upgrade. Further information on the service pack can be found in the Experience Manager 6.5 service pack release notes (search for 18.104.22.168 on the page). Those who have already performed mitigation do not necessarily need to install 22.214.171.124 (unless the other fixed bugs make the update necessary).