Skip to main content
S
shruthit67832147
Participant
July 12, 2024
Question

Log4j Vulnerability reported on ColdFusion2016

  • July 12, 2024
  • 2 replies
  • 726 views

Hello,

We are using ColdFusion 2016 for our production server and the following vulnerablity has been reported. Currently we are on ColdFusion 2016 Update 11.

 

In the below installation locations the log4j versions are log4j-1.2.15 and log4j-1.2.17.

Security team is asking us to upgrade to latest log4j version i.e., log4j-core-2.23.1. Could you please help us here to remediate these vulnerabilities?

 

C:\ColdFusion2016\cfusion\lib\log4j-1.2.15.jar
C:\ColdFusion2016\cfusion\hf-updates\hf-2016-00011-314546\backup\jetty\lib\ext\log4j-1.2.17.jar
C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\plugins\org.apache.log4j_1.2.15\lib\log4j-1.2.15.jar
C:\ColdFusion2016\cfusion\jetty\lib\ext\log4j-1.2.17.jar

This topic has been closed for replies.

2 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
July 13, 2024

I think your question can be answered in one sentence. It is Dave's  

  • "I recommend moving to a supported version of CF"

 

Let me explain.

 

The Log4J vulnerability is the least of your problems. You will see in the list of ColdFusion's Common Vulnerabilities and Exposures (CVE) that ColdFusion 2016 Update 11 has some more serious CVEs besides. Can you and your team fix them?

 

No. Neither will Adobe. As you can see in Adobe's End-of-Life Matrix, ColdFusion 2016 has long passed its end-of-life. 

 

Share the information from both sites with your team. That should help in convincing the team to upgrade ColdFusion.

D
Community Expert
Dave WattsCommunity Expert
Community Expert
July 12, 2024

I don't think you can just upgrade Log4j in CF 2016. Hopefully, if you can update Log4j in CF 2016, someone will pipe up and say that! There are updates for CF 2018 and 2023 available, along with mitigation steps if you can't apply the updates:

https://community.adobe.com/t5/coldfusion-discussions/update-released-coldfusion-security-updates-for-log4j-vulnerability/td-p/12601706

 

I would (a) set up Adobe's recommended mitigation steps, and (b) disable Jetty if you aren't using the add-on services which include Apache Solr among other things. For the third file reference in your list, it looks like it was installed by a different Adobe application other than ColdFusion and you can probably remove it safely.

 

Finally, I recommend moving to a supported version of CF if CF 2016 is no longer supported.

 

Dave Watts, Eidolon LLC

Dave Watts, Eidolon LLC
Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
July 12, 2024

Echoing Dave's sentiments, I'll clarify his last point. As he may have meant to say, it's not "if cf2016 is no longer supported", but rather "AS it is no longer supported". It got its last updates in mid-2021, 5 years after it came out, which is Adobe's policy with all CF versions.

 

And that was also BEFORE the log4j blowup in Dec 2021 (a Christmas season ruined for many of us).

 

And while Adobe updated cf2021 and 2018 that month and in months to come, they did NOT offer any update for cf2016. It was not only because updates had ended for it, but a the time they confirmed it did not use the vulnerable log4j version but rather an older one. See this technote on the matter from that time.

 

Of course, being on an older log4j also meant that was a version which the log4j community itself no longer supported. And that's indeed its own issue, as you're now finding (and was soon acknowledged by many back then). 

 

But there was never any solution offered by Adobe (that I know of) which addressed how a cf2016 server could be updated to a later, supported log4j removing all known vulns.

 

For that, your only option will be to upgrade to CF2023. Adobe doesn't sell cf2021 or earlier. I know that's not what some want to hear, but it is what it is.

 

Here's good news on that front, though: I posted just this week a blog entry on a special deal to get cf2023 at 25% off for those on cf2018, 2016, or earlier, good through September. I also offer their links to my presentations on migrating to cf2023 from each previous version back to 9. See https://www.carehart.org/blog/client/index.cfm/2024/7/8/limited_time_upgrade_discount_to_CF2023_from_older_releases

 

I appreciate this will feel like someone throwing you a life preserver when your house is on fire. Or it's at least like someone saying "get out of the house", when instead you plan on staying as long as possible. Maybe someone else will have a better flame retardant for you, to really stretch the analogy. Or is it a simile? 🙂

 

Anyway, this is one more answer for you to consider. 

/Charlie (troubleshooter, carehart. org)
S
shruthit67832147Author
Participant
July 13, 2024

@Charlie Arehart Thank you Charlie for your insights on this query. Yes before i post this query, i gone thru this technical note https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html . They mentioned that "ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted". Which means the two versions log4j-1.2.15 and log4j-1.2.17 are not vulnerable right?

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices