So recently our security appliance started locating log4j 1.x files within many directories of ColdFusion. Would it be safe to delete these files since CF2018u13 no longer uses them?
Example: <CF2018>\cfusion\jetty\lib\ext\log4j-1.2.17.jar
Thanks!
Well, that specific one would be safe to delete if you don't use or plan to use the cf "add on service", but as you allude to, that's not the only one to be concerned with. More in a moment.
First, that one in the cfusion/jetty folder supports the cf solr search engine and the pdf processing engine for cfhtmltopdf (new since cf11, and entirely UNRELATED to the older pdf processing engine supporting cfdocument). Both are known and controlled by the cf "add-on service".
Just beware that a future cf update you'd apply could lay that file back down. That's how cf updates work--they lay down all the files from prior updates, cumulatively.
Note that we should STRONGLY hope that some FUTURE cf update--perhaps the NEXT one--may remove all vestiges of log4j1 that remain a) in that jetty folder (in cf2018 AND cf2021) as well as b) in the cfusion/lib folder (in cf2018 and earlier only).
You don't mention the latter file, though you are on cf2018. To be clear, you MUST NOT remove that log4j1x jar in the cfusion/lib of cf2018 or earlier, otherwise the cf startup will have a sever error and while cf will "start", page processing will fail. Again, hopefully this will be fixed in a coming cf2018 update (cf2016 is no longer updated since Mar 2021.)
Let us know if this suffices to answer your question.
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
AdChoices