Skip to main content
dk22197913
dk22197913
Inspiring
December 21, 2021
Answered

Log4j vunerability CVE-2021-45105 2.17.0

  • December 21, 2021
  • 1 reply
  • 1178 views

We patched our CF2021 server with update 3 to mitigate the issue in log4j so now we are on 2.16.0.

However, it appears 2.16.0 still contains the denial of service vunerability (CVE-2021-45105 ) according to this document:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

 

Is CF still vunerable?

 

    This topic has been closed for replies.
    Correct answer Charlie Arehart

    Yes, but there is a solution for that.

     

    In the days after the release of CF2021 update 3 (and CF2018 udpate 13) on Dec 17, there was yet another Adobe technote released that addresses those vulns which remain in the log4j 2.16 jars implemented by that CF update, and the technote offers updated log4j 2.17 jars and instructions for dealing with things:

    https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html 

     

    Update:  And on Jan 11, Adobe came out with a technote offering the still-more updated log4j 2.17.1 jars:

    https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html 


    To be clear, folks should NOT just implement these new jars as "the fix" for the original log4j vuln. Again, these steps are to be done AFTER applying the update from Dec 17, as asked by the OP here.

    1 reply

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity ExpertCorrect answer
    Community Expert
    December 22, 2021

    Yes, but there is a solution for that.

     

    In the days after the release of CF2021 update 3 (and CF2018 udpate 13) on Dec 17, there was yet another Adobe technote released that addresses those vulns which remain in the log4j 2.16 jars implemented by that CF update, and the technote offers updated log4j 2.17 jars and instructions for dealing with things:

    https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html 

     

    Update:  And on Jan 11, Adobe came out with a technote offering the still-more updated log4j 2.17.1 jars:

    https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html 


    To be clear, folks should NOT just implement these new jars as "the fix" for the original log4j vuln. Again, these steps are to be done AFTER applying the update from Dec 17, as asked by the OP here.

    /Charlie (troubleshooter, carehart. org)
      A
      Aron22428222djne
      Participant
      January 5, 2022

      Charlie,

      Thank you for pointing this additional info out.  Curiously, there's a log4j-1.2.15.jar file in my fresh install of CF 2018.  Any reason why that file needs to hang around.  I tried removing it, but ended having to add it back for cf to run.

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      January 6, 2022

      When you say "fresh install", do you mean literally just installed and not yet

      updated? Yes, there is that log4j 1.x jar in cf2018. And to be clear, update 13 of cf2018 MODIFIES that jar, to remove the unsafe class files in it.

       

      Yes, that means that scanning tools which only pay attention to the mere EXISTENCE of log4j 1.x files WILL still complain. If they were savvy enough to look for the vulnerable CLASSES  within the jars, they would not flag it. (And yes, there are OTHER reasons folks should no longer be using log4j 1.x files given that that version is no longer supported.) 

       

      But finally, no, as you found you can't just remove it from. CF. It won't start (won't run cf templates). You COULD rename it, if someone was insistent. Things would still work.

       

      We need to wait for Adobe to update cf such that they REMOVE whatever is reliant on that. 

      /Charlie (troubleshooter, carehart. org)
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices