DocumentationAEM 6.5User Guide

Mitigating Log4j2 vulnerabilities for Experience Manager Forms

Last update: Mon Apr 14 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
  • Applies to:
  • Experience Manager 6.5

CREATED FOR:

  • Admin

Issue

Critical security vulnerabilities have been reported for Apache Log4j2, a popular logging library for Java-based applications. The following vulnerabilities have been analyzed:

Vulnerability
What's impacted
What's not impacted?
Status
CVE-2021-44228
  • Experience Manager 6.5 Forms on JEE (all versions from 6.5 GA to 6.5.11)
  • Experience Manager 6.4 Forms on JEE (all versions from 6.4 GA to 6.4.8)
  • Experience Manager 6.3 Forms on JEE (all versions from 6.3 GA to 6.3.3)
  • Experience Manager 6.5 Forms Designer
  • Experience Manager 6.4 Forms Designer
  • Automated Forms Conversion Service
  • Experience Manager Forms Workbench (all versions)
  • Experience Manager Forms on OSGi (all versions)
These have been fixed. See the Resolution section for fixes and mitigation steps.
CVE-2021-45046
CVE-2021-45105
No impact on any Experience Manager Forms release for out-of-the-box logging configurations. If you have any additional logging configurations, check these configurations for these vulnerabilities.
CVE-2021-44832
CVE-2021-4104
CVE-2022-22963
CVE-2022-22965
CVE-2020-9488
CVE-2022-23307
NOTE
AEM 6.5.13.0 Forms and earlier releases includes both Log4j libraries (1.x and 2.17.1). The AEM Forms Log4j 1.x libraries in AEM 6.5.13.0 Forms and earlier releases are not part of the vulnerability reported nor are they noted as vulnerable in AEM Forms code scans performed by Adobe. However, all Log4j 1.x library are removed in the 6.5.14 release. For instructions to install AEM 6.5.14.0 or a later release, see release notes.

Resolution

You can use one of the following methods to mitigate the risk of this vulnerability:

  • Install the latest service pack
  • Use manual mitigation steps

Install the latest service pack

CAUTION
If you have applied a hotfix on the Experience Manager Forms Service Pack 6.3.3.8 or Experience Manager Forms Service Pack 6.4.8.4 environment, do not install the service pack with the vulnerabilities fixes (listed below). Installing these service packs may overwrite the hotfix. Adobe recommends using manual mitigation steps in such a scenario.
Release
Version
Download link/User action
Experience Manager 6.5 Forms on JEE
AEMForms-6.5.0-0038 (log4jv2.16)
Download from Software Distribution.
Experience Manager 6.4 Forms on JEE
AEMForms-6.4.0-0027
Experience Manager 6.3 Forms on JEE
AEMForms-6.3.0-0047
Experience Manager 6.5 Forms Designer
AEM Forms Designer v650.019
Experience Manager 6.4 Forms Designer
AEM Forms Designer v640.012
Automated Forms Conversion Service
The mitigation steps were identified and the service was patched.
There is no user action.

Use manual mitigation steps

To mitigate the issue, for Experience Manager 6.5 Forms (log4j-core version 2.10 and later), Experience Manager 6.4 Forms (log4j-core version earlier than 2.10), and Experience Manager 6.3 Forms (log4j-core version earlier than 2.10), perform the following steps:

  1. Shut down all the server instances and locators.

  2. Remove org/apache/logging/log4j/core/lookup/JndiLookup.class from the vulnerable log4j-core-2.xx.jar available at the following locations:

    • Deployable EAR:
    code language-javascript 
    <FORMS_INSTALLATION_DIRECTORY>/configurationManager/export/adobe-livecycle-[jboss|weblogic|websphere].ear
    • GemFire or Geode locator:
    code language-javascript 
    <FORMS_INSTALLATION_DIRECTORY>/lib/caching/lib

    To update Deployable EAR, depending on your operating system, you can use one of the following methods to remove the JndiLookup.class from the vulnerable log4j-core-2.xx.jar:

    • (Linux with Oracle WebLogic or Redhat JBoss): Run the following command. Update the version and application server information before running these commands:
    code language-javascript 
    unzip adobe-livecycle-<weblogic|jboss>.ear lib/log4j-core-<version>.jar
    code language-javascript 
    zip -d lib/log4j-core-xxx.jar org/apache/logging/log4j/core/lookup/JndiLookup.  class
    code language-javascript 
    zip -ru adobe-livecycle-jboss.ear lib/log4j-core-<version>.jar
    • (Linux with IBM WebSphere): Run the following command. Update the version and application server information before running these commands:
    code language-javascript 
    unzip adobe-livecycle-websphere.ear log4j-core-<version>.jar
    code language-javascript 
    zip -d log4j-core-xxx.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    • (Microsoft Windows): Use a GUI tool like 7-Zip to remove the class file.

  3. Repeat step 2 for each application server instance (node) and all locators (if more than one).

  4. After updating the jar, redeploy the modified EAR and restart all locator processes and server instances.

NOTE
  • Replace the original copy of the log4j-core-2.xx jar with the updated copy. No other changes are required.
  • When the configuration manager is run again, contents of <FORMS_INSTALLATION_DIRECTORY/configurationManager/export can be overwritten. To avoid redoing the above change each time this happens, update the jar in <FORMS_INSTALLATION_DIRECTORY>/deploy/adobe-core-[jboss|weblogic|websphere].ear. This ensures that the adobe-livecycle-[jboss|weblogic|websphere].ear produced by configuration manager already has the updated log4j-core-2.xx jar.
  • Manual modifications to deployable artifacts can be overwritten on patching/upgrade. If this happens, reapply the procedure.

References

https://logging.apache.org/log4j/2.x/security.html

Who should I contact if I have additional questions or any issues in performing mitigation steps?

You can contact Adobe Support or raise a support ticket.

Who should I contact if I have additional questions or any issues in performing mitigation steps?
Legal Notices | Online Privacy Policy

recommendation-more-help
19ffd973-7af2-44d0-84b5-d547b0dffee2