Skip to main content
C
CHRISTOPHER5FF6
Participant
October 23, 2023
Question

cf-logging.jar remediation

  • October 23, 2023
  • 1 reply
  • 436 views

We have updated to ColdFusion 2021 Hotfix 9 and out ITR team is flagging cf-logging.jar as a lof4j vulnerability.  I have been unable to find a clear answer to remediation actions or verbiage that this is a false positive that will satisfy our Cyber Security.  Tenable plugin 156860.  

    This topic has been closed for replies.

    1 reply

    Vikram Kumar M
    Community Manager
    Vikram Kumar MCommunity Manager
    Community Manager
    October 23, 2023

    Hi @CHRISTOPHER5FF6,

     

    Please install the latest update 11 on the server. You can remove the jar manually after installing the update 11.

     

    https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-11.html

     

    Thanks,

    Vikram

      

    T
    TheRealMC
    Inspiring
    October 31, 2023

    Hi Vikram,

     

    Just to confirm, cfusion/lib/cf-logging.jar can be deleted manually after applying CF2021 Update 11, because it is no longer used? I realize I'm essentially repeating your reply, but I do see it still in the CF Server Java Class Path in the CF Admin Settings Summary page.

     

    Best regards,

    Mike.

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    November 1, 2023

    A few thoughts:

     

    1) For Mike, the file appears in that list simply because CF finds it as a jar in that cfusion/lib folder. If you do remove the file as Vikram proposes (which will require that CF be stopped), you will find that on restart it's no longer listed in that page. 

     

    I can also confirm I see it there (in that list and in that folder) either in a machine running CF2021 update 11 or on one running an earlier update.

     

    2) For Vikram, if it's that the file is no longer needed as of update 11, why didn't update 11 remove the file for us?

     

    (Iif anyone may wonder, I can confirm that in CF2023 as of update 5--released the same day as CF2021 update 11, there is no cf-logging.jar in either that folder or that list in the CF Admin.)

     

    3) Finally, this discussion about this "CF Server Java Class Path" section on that CF Setting Summary page sems really a misnomer: it's not showing "the" class path (a listing of folders, which is what a "class path" usually defines) but rather it's showing what files are found IN the folders named in that "path". As for what that "class path" is (including that cfusion/lib folder and others), I suspect the latter is the folders pointed to in the jvm.config as java.library.path. If Vikram or anyone could confirm, that might help some readers.

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices