Skip to main content
M
Matthew22377144yk0g
Known Participant
May 24, 2022
Answered

Log4j1.2.x vulnerabilities in Coldfusion 2018 hf 14

  • May 24, 2022
  • 2 replies
  • 352 views

We recently updated our Coldfusion 2018 servers to hotfix 14 in an attempt to remove all remaining instances of log4j1.2.x - this appeared to work, as the two remaining instances of those files were removed and replaced with an adapter for using log4j1 with log4j2.  However, we just got a report from our IT team that log4j1.2.15 was still installed on our system - it appears as though the file cfusion/lib/cf-logging.jar is simply log4j1.2.15 (renamed and with the classes put in a coldfusion package).  Has anyone run into this?  Is this file something we can remove without breaking Coldfusion?

    This topic has been closed for replies.
    Correct answer BKBK

    Great find! I would suggest you report this as a ColdFusion bug. If you're short of time, just copy-paste the subject-line and description of your forum post.

    2 replies

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    May 25, 2022

    This sounds unlikely to me, but not impossible. Anyway, you should be able to take that jar file and examine its manifest. The easiest way I've found to do this is copy it somewhere and rename it as a zip file, then unzip it.

     

    Dave Watts, Eidolon LLC

    Dave Watts, Eidolon LLC
    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    May 25, 2022
    quote

    This sounds unlikely to me, but not impossible. Anyway, you should be able to take that jar file and examine its manifest. The easiest way I've found to do this is copy it somewhere and rename it as a zip file, then unzip it.

     

    Dave Watts, Eidolon LLC


    By @Dave Watts

    @Dave Watts , that is what I immediately did. The content of the manifest is:

    Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.2
Created-By: 1.7.0_55-b13 (Oracle Corporation)

Name: org/apache/log4j/
Implementation-Title: log4j
Implementation-Version: 1.2.15
Implementation-Vendor: "Apache Software Foundation"
      D
      Community Expert
      Dave WattsCommunity Expert
      Community Expert
      May 25, 2022

      The OP should report this as a bug, then.

       

      Dave Watts, Eidolon LLC

      Dave Watts, Eidolon LLC
      BKBK
      Community Expert
      BKBKCommunity ExpertCorrect answer
      Community Expert
      May 25, 2022

      Great find! I would suggest you report this as a ColdFusion bug. If you're short of time, just copy-paste the subject-line and description of your forum post.

        M
        Matthew22377144yk0gAuthor
        Known Participant
        May 25, 2022

        Thanks for the suggestion - it's logged here: https://tracker.adobe.com/#/view/CF-4213590

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices