• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
1

ColdFusion and Log4J Vulnerability

Adobe Employee ,
Dec 14, 2021 Dec 14, 2021

Copy link to clipboard

Copied

Adobe engineering and security have been hard at work determining which versions of ColdFusion might be affected and what, if any, workaround/mitigation steps are available.

 

For the mitigation steps, see Log4J vulnerability on ColdFusion. It will be updated if/as things change. This article contains information related to ColdFusion 2021, ColdFusion 2018 as well as ColdFusion 2016. There are also sections concerning the Performance Monitoring Toolset for 2021/2018 and API Manager.

 

We shall be releasing a patch on 12/17 for the same. In the meantime, follow the steps mentioned in the document. If you need more information, please contact us or reply in this thread.

TOPICS
Security

Views

266

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

Can you provide any insight into where one would look for this patch when it does become available?

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

I was writing the below when news literally broke of the updates being released:

 

https://coldfusion.adobe.com/2021/12/update-coldfusion-security-updates-log4j-vulnerability/

 

I'll leave the rest I'd written, for future reference... 

 

The best places may be where we should typically be told of ANY new cf updates:

  • The cf admin, and its updates page
  • The cf updates web pages. Just Google: coldfusion updates to find the pages for each cf version which list all updates (of course, only Cf2021 and 2018 get any more, currently)

 

To be clear, it's expected that the update for this vuln will indeed be in the form of other cf updates. 

 

Separately, this vuln being the lead news that it is, we can also expect release of that update to be indicated in:

  • The technote page on the vuln listed above
  • As well as either a comment in or update to this post, or a new post here in this forum

 

Then there's also the Adobe PSIRT teams email notification service for security updates to any Adobe product. 

 

Then certainly the cf community will share news of it, in the forums (there's another very active post on this issue in these forums), in the cf portal (coldfusion.adobe.com) which also has discussions of it, and finally Pete Freitag's blog post and services, both pointed to in the other resources.

 

And as a starting point, I have a blog post that pointed to all the above. See 

 

https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/

 

But I know you wanted to know the "official place" to watch, and that the first two above. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

We have just released an update today to fix the vulnerability.

https://community.adobe.com/t5/coldfusion-discussions/update-released-coldfusion-security-updates-fo...

Please update CF and let us know your thoughts.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Dec 17, 2021 Dec 17, 2021

Copy link to clipboard

Copied

I just deployed this through the CFAdmin Updates Page.  I performed a manual update, and it worked as expected.  It's like Christmas morning, and I got the Red Ryder BB Gun (...not the Pink Bunny PJs...)!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Dec 22, 2021 Dec 22, 2021

Copy link to clipboard

Copied

LATEST

Folks reading this post here should note that in the days after the release of those updates on Dec 17 (discussed in the technote linked to above), there was yet another Adobe technote released that addresses the vulns which remain in log4j 2.16 jars implemented by that CF update, and the technote offers updated log4j 2.17 jars and instructions for dealing with things:

 

https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html 

 

To be clear, you should NOT just implement these new jars as "the fix" for the original log4j vuln. Again, these steps are to be done AFTER applying the update from Dec 17.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation