ColdFusion Add-on Services and Log4j

Question

As part of the ongoing Log4j vulnerability remediation, I found, on one of our dev servers, where we have also installed ColdFusion Add-on Services, yet another copy of Log4j (log4j-1.2.17.jar), in x:\ColdFusionAdd-onServices\lib\ext.  Unlike the other copies on this system, the date stamp for this file was not updated by the installation of U13.  I do not see this copy of the jar file discussed in any of the remediation documentation, nor do I see anything listed on the ColdFusion Support Center Downloads page.  Please provide direction on whether or not this copy is a security risk and, if it is, how to address it.

Dave Watts · Answer

I'd guess that this is not a security risk for outside attackers. The stuff in that directory is for CF's add-on services, which are (usually) not exposed to the outside world. I suspect it's for the Jetty application server used to run all that stuff, and again that shouldn't be exposed to anyone. But who can say for sure? In the absence of that information, I'd recommend you block incoming traffic from the outside world to the ports used by Jetty, and that'll block requests for it.

Dave Watts, Eidolon LLC

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded