As you may have seen, in December 2021, two zero-day, critical vulnerabilities were published for Apache Log4j (CVE-2021-44228 and CVE-2021-45046). Log4j is an open source Java logging package developed by the Apache Software Foundation and is widely used across the technology industry.
Adirondack Solutions’ response to the situation
Adirondack Solutions is aware of, and has taken immediate action in response to, the Apache publication, including escalating detective controls and initiating emergency procedures to implement patches as they become available. At this time, we have not identified any indicators of compromise in our environment. Adirondack Solutions will continue to assess and monitor information as it is available and make decisions as appropriate.
While none of Adirondack’s software has any dependency on log4j2, it is used in ColdFusion 2018 and 2021. While we are awaiting the patches for those two versions (due to be released on 12/17/2021), we have implemented the mitigation strategies that they have outlined at https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html, namely:
- Adding the -Dlog4j2.formatMsgNoLookups=true flag to the jvm.config
- Removing the org/apache/logging/log4j/core/lookup/JndiLookup.class from the log4j-core-2.x.jar file
We have also scanned for the vulnerability outside of ColdFusion across all of our servers, desktops, and laptops. The one additional occurrence was in jMeter (used for load testing), and was mitigated by removing the org/apache/logging/log4j/core/lookup/JndiLookup.class from the log4j-core-2.x.jar file associated with that application.
Adobe released their patches for ColdFusion 2018 and 2021 at approximately 9:30 am Eastern. The patches were immediately applied to impacted environments.
We are continuing to monitor information regarding this issue, and will update this site in the event of further developments.