ColdFusion and Log4J Vulnerability

Report · Dec 14, 2021

Adobe engineering and security have been hard at work determining which versions of ColdFusion might be affected and what, if any, workaround/mitigation steps are available.

For the mitigation steps, see Log4J vulnerability on ColdFusion. It will be updated if/as things change. This article contains information related to ColdFusion 2021, ColdFusion 2018 as well as ColdFusion 2016. There are also sections concerning the Performance Monitoring Toolset for 2021/2018 and API Manager.

We shall be releasing a patch on 12/17 for the same. In the meantime, follow the steps mentioned in the document. If you need more information, please contact us or reply in this thread.

Report · Dec 17, 2021

Can you provide any insight into where one would look for this patch when it does become available?

Report · Dec 17, 2021

I was writing the below when news literally broke of the updates being released:

https://coldfusion.adobe.com/2021/12/update-coldfusion-security-updates-log4j-vulnerability/

I'll leave the rest I'd written, for future reference...

The best places may be where we should typically be told of ANY new cf updates:

The cf admin, and its updates page
The cf updates web pages. Just Google: coldfusion updates to find the pages for each cf version which list all updates (of course, only Cf2021 and 2018 get any more, currently)

To be clear, it's expected that the update for this vuln will indeed be in the form of other cf updates.

Separately, this vuln being the lead news that it is, we can also expect release of that update to be indicated in:

The technote page on the vuln listed above
As well as either a comment in or update to this post, or a new post here in this forum

Then there's also the Adobe PSIRT teams email notification service for security updates to any Adobe product.

Then certainly the cf community will share news of it, in the forums (there's another very active post on this issue in these forums), in the cf portal (coldfusion.adobe.com) which also has discussions of it, and finally Pete Freitag's blog post and services, both pointed to in the other resources.

And as a starting point, I have a blog post that pointed to all the above. See

https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/

But I know you wanted to know the "official place" to watch, and that the first two above.

/Charlie (troubleshooter, carehart.org)

Report · Dec 17, 2021

We have just released an update today to fix the vulnerability.

https://community.adobe.com/t5/coldfusion-discussions/update-released-coldfusion-security-updates-fo...

Please update CF and let us know your thoughts.

Report · Dec 17, 2021

I just deployed this through the CFAdmin Updates Page. I performed a manual update, and it worked as expected. It's like Christmas morning, and I got the Red Ryder BB Gun (...not the Pink Bunny PJs...)!

Report · Dec 22, 2021

Folks reading this post here should note that in the days after the release of those updates on Dec 17 (discussed in the technote linked to above), there was yet another Adobe technote released that addresses the vulns which remain in log4j 2.16 jars implemented by that CF update, and the technote offers updated log4j 2.17 jars and instructions for dealing with things:

https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html

To be clear, you should NOT just implement these new jars as "the fix" for the original log4j vuln. Again, these steps are to be done AFTER applying the update from Dec 17.

/Charlie (troubleshooter, carehart.org)