Adobe Connect User Community
Menu

#1 2021-12-14 12:04:54

Wade G

Log4Shell Vulnerability

Adobe Connect on-prem is vulnerable to CVE-2021-44228. See https://log4shell.com/ for more info on the exploit.

To exploit it all you need to do is put some exploitable code into the username box on the login page. The name box for guests coming into a meeting works too.

It can be mitigated by setting up system level environment variable of:

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

and then rebooting the server or restarting all the Adobe Connect services.

Offline

#2 2021-12-14 17:58:20

Jorma_at_CoSo

Re: Log4Shell Vulnerability

Adobe did release a note on this fix for on-prem customers https://blogs.connectusers.com/connects … e-connect/

Thanks for sharing!

Offline

#3 2021-12-15 15:53:16

Wade G

Re: Log4Shell Vulnerability

A second vulnerability was found in Log4j yesterday. CVE-2021-45046

On the security page for Log4J Apache gives 3 ways to mitigate the issue:

  • Java 8 (or later) users should upgrade to release 2.16.0.

  • Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).

  • Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Until Adobe releases an update to Adobe Connect with log4j 2.16.0 or higher we'll have to use the 3rd method. Their example command is for Linux and won't work on Windows. To do that on Windows for Adobe Connect on each CPS server:

The commands listed below assume you have 7-zip installed in the default location of C:\Program Files\7-zip\ and Adobe Connect installed in C:\Connect\.

  1. Stop all the Adobe Connect services

  2. At an admin command prompt run this command:

    FOR /R C:\Connect %v IN (log4j-core-*.jar) DO "C:\Program Files\7-Zip\7z.exe" d "%v" org/apache/logging/log4j/core/lookup/JndiLookup.class
  3. Start all the Adobe Connect services

Alternatively you can save this text as a batch file (e.g. fix-log4j.bat) and run it as an administrator to stop all services, remove the JndiLookup.class, and start all the services again:

@ECHO OFF
ECHO Stopping services...
net stop ConnectPro
net stop CPTelephonyService
net stop AMSAdmin
net stop AMS

ECHO Removing JndiLookup...
FOR /R C:\Connect %%v IN (log4j-core-*.jar) DO "C:\Program Files\7-Zip\7z.exe" d "%%v" org/apache/logging/log4j/core/lookup/JndiLookup.class

ECHO Starting services...
net start AMS
net start AMSAdmin
net start CPTelephonyService
net start ConnectPro

ECHO Done!
timeout /t 60

Offline

Board footer