Adobe engineering and security have been hard at work determining which versions of ColdFusion might be affected and what, if any, workaround/mitigation steps are available.
For the mitigation steps, see Log4J vulnerability on ColdFusion. It will be updated if/as things change. This article contains information related to ColdFusion 2021, ColdFusion 2018 as well as ColdFusion 2016. There are also sections concerning the Performance Monitoring Toolset for 2021/2018 and API Manager.
We shall be releasing a patch on 12/17 for the same. In the meantime, follow the steps mentioned in the document. If you need more information, please contact us or reply in this thread.
Can you provide any insight into where one would look for this patch when it does become available?
I was writing the below when news literally broke of the updates being released:
I'll leave the rest I'd written, for future reference...
The best places may be where we should typically be told of ANY new cf updates:
To be clear, it's expected that the update for this vuln will indeed be in the form of other cf updates.
Separately, this vuln being the lead news that it is, we can also expect release of that update to be indicated in:
Then there's also the Adobe PSIRT teams email notification service for security updates to any Adobe product.
Then certainly the cf community will share news of it, in the forums (there's another very active post on this issue in these forums), in the cf portal (coldfusion.adobe.com) which also has discussions of it, and finally Pete Freitag's blog post and services, both pointed to in the other resources.
And as a starting point, I have a blog post that pointed to all the above. See
But I know you wanted to know the "official place" to watch, and that the first two above.
We have just released an update today to fix the vulnerability.
Please update CF and let us know your thoughts.
I just deployed this through the CFAdmin Updates Page. I performed a manual update, and it worked as expected. It's like Christmas morning, and I got the Red Ryder BB Gun (...not the Pink Bunny PJs...)!
Folks reading this post here should note that in the days after the release of those updates on Dec 17 (discussed in the technote linked to above), there was yet another Adobe technote released that addresses the vulns which remain in log4j 2.16 jars implemented by that CF update, and the technote offers updated log4j 2.17 jars and instructions for dealing with things:
To be clear, you should NOT just implement these new jars as "the fix" for the original log4j vuln. Again, these steps are to be done AFTER applying the update from Dec 17.