CF 2021 Log4J Vulnerability Question

Report · Dec 18, 2023

We are on CF21 with hotfix update 10 installed.

Our IT department runs security scans and the results are flagging these log4j files.

Some are in the recycle bin, installer folders, hot fix folders and others in JRE folder.

Question, can be deleted and which ones needs to remediated?

Thanks in advance.

(F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\lib\log4j-core-2.13.3.jar)

(F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$RJBPHP9\backup\lib\log4j-core-2.13.3.jar)

(F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$RJBPHP9\backup\jetty\lib\ext\log4j-1.2.17.jar)

(F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\jetty\lib\ext\log4j-1.2.17.jar)

(D:\misc-installers\log4j-core-2.16.0.jar)

(F:\ColdFusion2021\jre\lib\log4j-core-2.13.3.jar)

(F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$ROWNOOF\backup\lib\log4j-core-2.13.3.jar)

(F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$R8V2DR3\backup\lib\log4j-core-2.13.3.jar)

(F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$R8V2DR3\backup\jetty\lib\ext\log4j-1.2.17.jar)

(F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$ROWNOOF\backup\jetty\lib\ext\log4j-1.2.17.jar)

(F:\ColdFusion2021\jre\jetty\lib\ext\log4j-1.2.17.jar)

(F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00003-329779\backup\lib\log4j-core-2.13.3.jar)

(F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\lib\log4j-core-2.16.0.jar)

(F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\jetty\lib\ext\log4j-1.2.17.jar)

(D:\ColdFusion2021\cfusion\lib\log4j-core-2.13.3.jar)

(D:\ColdFusion2021\cfusion\jetty\lib\ext\log4j-1.2.17.jar)

(F:\ColdFusion11\cfusion\lib\log4j-1.2.15.jar)

(E:\ColdFusion11\cfusion\lib\log4j-1.2.16.jar)

Report · Dec 18, 2023

Hi Jeffrey,

I would start by emptying the recycle bin. CF11 is longtime EOL so uninstall if you are not using that. Patch up CF21 to current update 12. Delete some of the old "cfusion\hf-updates\hf-2021-" content unless you need to rollback. Scan again.

HTH. Carl.

Report · Dec 19, 2023

Thanks, that handles most of them. Next question is regarding the remaining. What are they? Are they being used? What are my options? Will CF Hot Fix 12 handle these or will I need to take further action. And in the regards to CF11 files, can I just delete/move them? See below...

(F:\ColdFusion2021\jre\lib\log4j-core-2.13.3.jar)

(F:\ColdFusion2021\jre\jetty\lib\ext\log4j-1.2.17.jar)

(D:\ColdFusion2021\cfusion\lib\log4j-core-2.13.3.jar)

(D:\ColdFusion2021\cfusion\jetty\lib\ext\log4j-1.2.17.jar)

(F:\ColdFusion11\cfusion\lib\log4j-1.2.15.jar)

(E:\ColdFusion11\cfusion\lib\log4j-1.2.16.jar)

Thanks, Jeff

Report · Dec 19, 2023

Like @carl type3 said, ColdFusion 11 is dead. Remove it and nuke the directories just to be sure. Beyond that, why do you have files on two different drives? Did you install the original CF 2021 on one, the other, or both?

The one in \jre\lib belongs to the JRE that may or may not be used by ColdFusion. I don't know whether CF is using it, but I don't think it's vulnerable to remote attacks. The one in \jre\jetty\lib\ext is also kind of questionable. I suspect you're not using that jetty one at all. The ones in \cfusion\lib and \cfusion\jetty\lib\ext are probably being used. The Jetty server should not be accessible to untrusted networks anyway, it's just used to run Solr and maybe some other stuff, which CF can talk to directly via localhost. You should be able to rely on basic network hygiene to take care of that - a local firewall, probably.

Dave Watts, Eidolon LLC