Skip to main content
J
Jeffrey34336581ikhp
Participant
December 18, 2023
Question

CF 2021 Log4J Vulnerability Question

  • December 18, 2023
  • 1 reply
  • 419 views

We are on CF21 with hotfix update 10 installed.

Our IT department runs security scans and the results are flagging these log4j files.

Some are in the recycle bin, installer folders, hot fix folders and others in JRE folder.

Question, can be deleted and which ones needs to remediated?

Thanks in advance.

 

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\lib\log4j-core-2.13.3.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$RJBPHP9\backup\lib\log4j-core-2.13.3.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$RJBPHP9\backup\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\jetty\lib\ext\log4j-1.2.17.jar)

 (D:\misc-installers\log4j-core-2.16.0.jar)

 

 (F:\ColdFusion2021\jre\lib\log4j-core-2.13.3.jar)

(F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$ROWNOOF\backup\lib\log4j-core-2.13.3.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$R8V2DR3\backup\lib\log4j-core-2.13.3.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$R8V2DR3\backup\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$ROWNOOF\backup\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\ColdFusion2021\jre\jetty\lib\ext\log4j-1.2.17.jar)

 

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00003-329779\backup\lib\log4j-core-2.13.3.jar)

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\lib\log4j-core-2.16.0.jar)

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\jetty\lib\ext\log4j-1.2.17.jar)

 

 (D:\ColdFusion2021\cfusion\lib\log4j-core-2.13.3.jar)

 (D:\ColdFusion2021\cfusion\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\ColdFusion11\cfusion\lib\log4j-1.2.15.jar)

 (E:\ColdFusion11\cfusion\lib\log4j-1.2.16.jar)

 (E:\ColdFusion11\cfusion\lib\log4j-1.2.16.jar)

    This topic has been closed for replies.

    1 reply

    C
    carl type3
    Legend
    December 18, 2023

    Hi Jeffrey,

     

    I would start by emptying the recycle bin. CF11 is longtime EOL so uninstall if you are not using that. Patch up CF21 to current update 12. Delete some of the old "cfusion\hf-updates\hf-2021-" content unless you need to rollback. Scan again.

     

    HTH. Carl.

    J
    Jeffrey34336581ikhpAuthor
    Participant
    December 19, 2023

    Thanks, that handles most of them. Next question is regarding the remaining. What are they? Are they being used? What are my options? Will CF Hot Fix 12 handle these or will I need to take further action. And in the regards to CF11 files, can I just delete/move them? See below...

     

     (F:\ColdFusion2021\jre\lib\log4j-core-2.13.3.jar)

     (F:\ColdFusion2021\jre\jetty\lib\ext\log4j-1.2.17.jar)

     (D:\ColdFusion2021\cfusion\lib\log4j-core-2.13.3.jar)

     (D:\ColdFusion2021\cfusion\jetty\lib\ext\log4j-1.2.17.jar)

     (F:\ColdFusion11\cfusion\lib\log4j-1.2.15.jar)

     (E:\ColdFusion11\cfusion\lib\log4j-1.2.16.jar)

     

    Thanks, Jeff

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    December 19, 2023

    Like @carl type3 said, ColdFusion 11 is dead. Remove it and nuke the directories just to be sure. Beyond that, why do you have files on two different drives? Did you install the original CF 2021 on one, the other, or both?

     

    The one in \jre\lib belongs to the JRE that may or may not be used by ColdFusion. I don't know whether CF is using it, but I don't think it's vulnerable to remote attacks. The one in \jre\jetty\lib\ext is also kind of questionable. I suspect you're not using that jetty one at all. The ones in \cfusion\lib and \cfusion\jetty\lib\ext are probably being used. The Jetty server should not be accessible to untrusted networks anyway, it's just used to run Solr and maybe some other stuff, which CF can talk to directly via localhost. You should be able to rely on basic network hygiene to take care of that - a local firewall, probably.

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices