• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CF 2021 Log4J Vulnerability Question

New Here ,
Dec 18, 2023 Dec 18, 2023

Copy link to clipboard

Copied

We are on CF21 with hotfix update 10 installed.

Our IT department runs security scans and the results are flagging these log4j files.

Some are in the recycle bin, installer folders, hot fix folders and others in JRE folder.

Question, can be deleted and which ones needs to remediated?

Thanks in advance.

 

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\lib\log4j-core-2.13.3.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$RJBPHP9\backup\lib\log4j-core-2.13.3.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$RJBPHP9\backup\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\jetty\lib\ext\log4j-1.2.17.jar)

 (D:\misc-installers\log4j-core-2.16.0.jar)

 

 (F:\ColdFusion2021\jre\lib\log4j-core-2.13.3.jar)

(F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$ROWNOOF\backup\lib\log4j-core-2.13.3.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$R8V2DR3\backup\lib\log4j-core-2.13.3.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$R8V2DR3\backup\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\$RECYCLE.BIN\S-1-5-21-2905054116-597314085-1704472974-66584\$ROWNOOF\backup\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\ColdFusion2021\jre\jetty\lib\ext\log4j-1.2.17.jar)

 

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00003-329779\backup\lib\log4j-core-2.13.3.jar)

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\lib\log4j-core-2.16.0.jar)

 (F:\ColdFusion2021\cfusion\hf-updates\hf-2021-00005-330109\backup\jetty\lib\ext\log4j-1.2.17.jar)

 

 (D:\ColdFusion2021\cfusion\lib\log4j-core-2.13.3.jar)

 (D:\ColdFusion2021\cfusion\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\ColdFusion11\cfusion\lib\log4j-1.2.15.jar)

 (E:\ColdFusion11\cfusion\lib\log4j-1.2.16.jar)

 (E:\ColdFusion11\cfusion\lib\log4j-1.2.16.jar)

Views

243

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guide ,
Dec 18, 2023 Dec 18, 2023

Copy link to clipboard

Copied

Hi Jeffrey,

 

I would start by emptying the recycle bin. CF11 is longtime EOL so uninstall if you are not using that. Patch up CF21 to current update 12. Delete some of the old "cfusion\hf-updates\hf-2021-" content unless you need to rollback. Scan again.

 

HTH. Carl.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 19, 2023 Dec 19, 2023

Copy link to clipboard

Copied

Thanks, that handles most of them. Next question is regarding the remaining. What are they? Are they being used? What are my options? Will CF Hot Fix 12 handle these or will I need to take further action. And in the regards to CF11 files, can I just delete/move them? See below...

 

 (F:\ColdFusion2021\jre\lib\log4j-core-2.13.3.jar)

 (F:\ColdFusion2021\jre\jetty\lib\ext\log4j-1.2.17.jar)

 (D:\ColdFusion2021\cfusion\lib\log4j-core-2.13.3.jar)

 (D:\ColdFusion2021\cfusion\jetty\lib\ext\log4j-1.2.17.jar)

 (F:\ColdFusion11\cfusion\lib\log4j-1.2.15.jar)

 (E:\ColdFusion11\cfusion\lib\log4j-1.2.16.jar)

 

Thanks, Jeff

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 19, 2023 Dec 19, 2023

Copy link to clipboard

Copied

LATEST

Like @carl type3 said, ColdFusion 11 is dead. Remove it and nuke the directories just to be sure. Beyond that, why do you have files on two different drives? Did you install the original CF 2021 on one, the other, or both?

 

The one in \jre\lib belongs to the JRE that may or may not be used by ColdFusion. I don't know whether CF is using it, but I don't think it's vulnerable to remote attacks. The one in \jre\jetty\lib\ext is also kind of questionable. I suspect you're not using that jetty one at all. The ones in \cfusion\lib and \cfusion\jetty\lib\ext are probably being used. The Jetty server should not be accessible to untrusted networks anyway, it's just used to run Solr and maybe some other stuff, which CF can talk to directly via localhost. You should be able to rely on basic network hygiene to take care of that - a local firewall, probably.

 

Dave Watts, Eidolon LLC

Dave Watts, Eidolon LLC

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation