Participant

Answered

Coldfusion API Manager analytics service requires log4j-1.2.17.jar

Forum|Forum|10 months ago
April 8, 2025
3 replies
623 views

Is there any chance this will be updated in the future? I am getting a lot of heat from the security people because the scans keep coming back with log4j vulns.
The analytics service is using an old version of elasticsearch that requires log4j-1.2.17.jar
Does anyone know of anyway to not usre the analytics service and still run the API manager or know of any work arounds to use a new elastic search? I know we can remove the jndi classes and put some flags on the JVM but the security folks see the file and thats all they care about.

This is the case for both coldfusion 2021 api manager and coldfusion 2023 api manager

Example directory
C:\ColdFusion2023APIManager\database\analytics\lib

Correct answer ryanm2553848

For anyone fighting security scans and compliance

I ended up using reload4j jar as a replacement
https://reload4j.qos.ch/

Not perfect but has all the classes so the analytic service will start, they updated to handle the vulns and the scanners will not see log4j 1.2.17. So everyone is happy.

Submitted request for update

R

ryanm2553848AuthorCorrect answer

Participant

For anyone fighting security scans and compliance

I ended up using reload4j jar as a replacement
https://reload4j.qos.ch/

Not perfect but has all the classes so the analytic service will start, they updated to handle the vulns and the scanners will not see log4j 1.2.17. So everyone is happy.

Submitted request for update

BKBK

Community Expert

@ryanm2553848 , Thanks for the update.

It might not be enough to do just the reload4j replacement. Though that passes the security check, it might lead to application errors.

I shall give you an example to illustrate. ColdFusion 2023 includes these 2 Jars:

slf4j-api-1.7.12.jar
slf4j-log4j12-1.7.12.jar

ColdFusion 2025 contains the updated versions, which are, respectively,

slf4j-api.jar
slf4j-reload4j.jar

So, my suggestion is for you to contact the Adobe ColdFusion support team (cfsup[at]adobe.com) for advice on which Jars to use.

R

ryanm2553848Author

Participant

I referring specifically to the log4j file found here. This is with the latest Coldfusion 2025 API manager. They are still using an old version of elastic search. This is for all version 2021,2023 and 2025
"C:\ColdFusion2025APIManager\database\analytics\lib\log4j-1.2.17.jar"

BKBK

Community Expert

Suggestion: submit a Feature Request in Adobe Tracker, asking the ColdFusion team to upgrade the log4j libraries. It would help to substatiate your request with:

(1) a list of the libraries that require an upgrade;

(2) an account of the difficulties that the old libraries are causing you and your team.

Charlie Arehart

Community Expert

Well, you'll want to hear from Adobe, I'm sure.

Until then, note first that you don't necessarily NEED the analytics service feature of the api manager. That's an option during install. So do you know you do? If not, it can be uninstalled.

I'll assume you're also REALLY using the Api Manager feature, which is itself only an option--which I daresay most cf users don't use, and especially since it required a cf enterprise license, at least until cf2025 which no longer requires any cf license.

And have you confirmed that the 2025 version of the api manager doesn't solve your issue? I don't mean to say it will: I won't be surprised if only the name has changed otherwise in the 2025 and even 2023 version compared to the 2021 version.

Then as for the old log4j jar, it may be possible that you could just swap out more recent, secure ones. Maybe Adobe or someone else who's tried that will report. I have not explored it. There may also be some resource since that log4j debacle a few years ago where Adobe has documented how to make the api manager more secure in that regard, like they had for cf (before cf updates addressed it).

Sorry I don't have EXACTLY what you seek. If no one else does, I'll propose you consider asking in the still-wider online cf community. I list other options at cf411.com/cfsocialhelp.

/Charlie (troubleshooter, carehart. org)

R

ryanm2553848Author

Participant

Hey Charlie, (big fan btw)

The anayltics service and the datastore service are both required for the API manager service to start.
CF2025 API manager is also using the same version (just downloaded to check.)

Tried to swap out versions but all my attempts resulted in anayltics service unable to start.

API manager definitely isn't getting any love will most likely pivot away from it.

Charlie Arehart

Community Expert

First, thanks for the kind regards. And second: agh, you're right (about the API Manager needing both the other related services). My bad. The reason they are optional is if instead one were going to install either (or both) on a server OTHER than that where the API Manager service itself was being installed.

To that point, one slight possibility for you to consider would be if you might be allowed to install the Analytics service on a machine other than one where your folks are so concerned about this remaining log4j issue. It could be "offline" relative to the public internet (incoming and outgoing traffic): it would only need to allow traffic into it and back to the API Manager on the current server. But I appreciate that may seem merely "rearranging deck chairs on the titanic" (though I don't think it's quite as dire as when that anaology is usually used).

As for your attempt to swap out versions, I suppose you mean of hte log4j jars. Well, asking if you might clarify what you did precisely, I'll note that there's a difference in swapping out to "the very latest" log4j jars and swapping out to something "at least more updated than what it came with", which may well predate the whole log4j debacle form Christmas 2021. Also, do beware that when you say you "swap out" some jar, do beware that you can't just leave the old jars in place, renamed: Java doesn't care at all what a file is NAMED. If it's a jar, alongside others that can be loaded (meaning "in the classpath"), then Java can and will look at that jar file to see if it has the classes being loaded at a point in time.

All that said, this is something it would be best for Adobe to resolve (or ofrer a workaround). Before you give up, try emailing them directly at cfinstal@adobe.com. Sometimes they may have a solution they offer there but not here (mostly because the people there generally don't participate here, which is more community members helping each others--with Adobe popping in about 10% of the time.)

If you DO somehow get some other news andor resolution from such a direct email exchange, I sure hope you will pop back in here yourself to let folks know how it worked out.

/Charlie (troubleshooter, carehart. org)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded