ColdFusion2018 Update 15 New Log4j issue

Question

As of December 2, 2022, Tenable security scans are once again flagging ColdFusion with a Critical vulnerability, identifying the latest CF Update 15 (that we applied two weeks ago). States we had previously mitigated this issue, but is back. Has anyone else seen a vulnerability scan (of any level) identifying cf-logging,jar as using v. 1.2.15. (A logging library running on the remote host is no longer supported.).

Identifies:

[drive]:\ColdFusion2018\[cfinstance]\hf-updates\hf-2018-00015-330106\backup\lib\cf-logging.jar

I can only find posts about this vulnerability in posts from Jan 2022, where Adobe says they checked and they "weren't vulnerable"

I'm concerned because it is flagged as Critical and security teams will expect this to be mitigated.

RaviShankar Chagnur · Answer

Hello BlckBurn,We have taken care of the issue in the ColdFusion latest updates, and you can ignore the alerts safely You can remove the cf-logging.jar file from the backup location, i.e from the below location;\ColdFusion2018\[cfinstance]\hf-updates\hf-2018-00015-330106\backup\lib\cf-logging.jar Before applying the updates ColdFusion will backup the files that will be modified so you can remove the file from the backup directoryRegarding the version update of cf-logging.jar, we are planning to update the version in the new ColdFusion release, and based on that, we will be applying the changes to the existing ColdFusion version through the new updates post the release of the new version of Coldfusion

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded