Log4j vulnerability on CF 2016

Forum|Forum|4 years ago
December 27, 2021
1 reply
503 views

we are using CF2016 which uses log4j 1.2.15 and 1.2.17 versions. I would like to confirm whether the upgrade of Log4j jar to 2.17 version is still required. Also if we upgrade the jar file to 2.17 will that be compatible with CF2016.

This topic has been closed for replies.

BKBK

Community Expert

No, I don't think you have to upgrade from log4j 1.2.x to log4j 2.17. The upgrade to log4j 2.17 is intended for log4j versions 2.x, where x ranges from 9 to 16.

But you don't have to take my word for it. To set your mind at ease, go to the following page and scroll to the section on ColdFusion 2016: https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html. There you will read, "ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted." 🙂

N

neowire

Inspiring

This is fine and good, but network scanners are now detecting Log4j 1.x as vulnerable, requiring an update to Log4j 2.17 or newer. Is there anything that can be done with ColdFusion 2016?....

BKBK

Community Expert

Mail your question to Adobe: cfinstal|at|adobe.com

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded