Log4J Vulnerability

We have applied patch 13 to our ColdFusion 2018 Sunapsis server. The two files below are still on the server and are in use by ColdFusion. Regarding the information below, should we now have the security issue resolved?

Thanks,

Lewis

I got more information about this.  I had wrong information before.  According to our lead developer, Tim, you will not be able to completely delete those files.  sunapsis does not use those .jar files but ColdFusion *does* so they should not be deleted.

Per Tim:

Adobe is moving off of Log4J 1.2 for whatever the next update is.

Coldfusion has 2 different versions of Log4J.  It has Log4J 1.2.x and Log4J 2.x.  2.x was upgraded to 2.17 in Update 13.   1.2.x was left alone but is still used.

You *could* unzip the .jar files and remove the specific class files and re-zip them, but you cannot delete the entire file.

Adobe on Log4J 1.2.x vulnerability:                                      https://helpx.adobe.com/coldfusion/kb/log4j-1-2-15-vulnerability-coldfusion.html

He believes, according to that article, that updating to 13 resolves the problem, because your notes show the following for each .jar:

Path : C:\ColdFusion2018\cfusion\lib\log4j-1.2.15.jar
Version : 1.2.15
JMSAppender.class association : Not Found
JdbcAppender.class association : Not Found
JndiLookup.class association : Not Found
Method : log4j-core file search

Path : C:\ColdFusion2018\cfusion\jetty\lib\ext\log4j-1.2.17.jar
Version : 1.2.17
JMSAppender.class association : Found
JdbcAppender.class association : Not Found
JndiLookup.class association : Not Found
Method : log4j-core file search

Tim believes that means the specific classes within the .jar has been deleted.   While the .jar is "in use," the offending classes within them have been deleted.   But you might want to call Adobe for confirmation.

Kathy