cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Coldfusion API Manager analytics service requires log4j-1.2.17.jar

ryanm2553848
Community Beginner ,
Apr 08, 2025 Apr 08, 2025

Is there any chance this will be updated in the future? I am getting a lot of heat from the security people because the scans keep coming back with log4j vulns.
The analytics service is using an old version of elasticsearch that requires log4j-1.2.17.jar
Does anyone know of anyway to not usre the analytics service and still run the API manager or know of any work arounds to use a new elastic search? I know we can remove the jndi classes and put some flags on the JVM but the security folks see the file and thats all they care about.

This is the case for both coldfusion 2021 api manager and coldfusion 2023 api manager

Example directory
C:\ColdFusion2023APIManager\database\analytics\lib


527
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

ryanm2553848
Community Beginner , Apr 14, 2025 Apr 14, 2025

For anyone fighting security scans and compliance

I ended up using reload4j jar as a replacement 
https://reload4j.qos.ch/

Not perfect but has all the classes so the analytic service will start, they updated to handle the vulns and the scanners will not see log4j 1.2.17. So everyone is happy.

Submitted request for update


Translate
replies 8 Replies 8
latest latest Jump to latest reply
Charlie Arehart Community Expert
Community Expert ,
Apr 08, 2025 Apr 08, 2025

Well, you'll want to hear from Adobe, I'm sure.

 

Until then, note first that you don't necessarily NEED the analytics service feature of the api manager. That's an option during install. So do you know you do? If not, it can be uninstalled. 

 

I'll assume you're also REALLY using the Api Manager feature, which is itself only an option--which I daresay most cf users don't use, and especially since it required a cf enterprise license, at least until cf2025 which no longer requires any cf license.

 

And have you confirmed that the 2025 version of the api manager doesn't solve your issue? I don't mean to say it will: I won't be surprised if only the name has changed otherwise in the 2025 and even 2023 version compared to the 2021 version.

 

Then as for the old log4j jar, it may be possible that you could just swap out more recent, secure ones. Maybe Adobe or someone else who's tried that will report. I have not explored it. There may also be some resource since that log4j debacle a few years ago where Adobe has documented how to make the api manager more secure in that regard, like they had for cf (before cf updates addressed it).

 

Sorry I don't have EXACTLY what you seek. If no one else does, I'll propose you consider asking in the still-wider online cf community. I list other options at cf411.com/cfsocialhelp. 


/Charlie (troubleshooter, carehart. org)
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ryanm2553848
Community Beginner ,
Apr 08, 2025 Apr 08, 2025
In Response To Charlie Arehart

Hey Charlie, (big fan btw)

The anayltics service and the datastore service are both required for the API manager service to start.
CF2025 API manager is also using the same version (just downloaded to check.)

Tried to swap out versions but all my attempts resulted in anayltics service unable to start.

API manager definitely isn't getting any love will most likely pivot away from it.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Charlie Arehart Community Expert
Community Expert ,
Apr 08, 2025 Apr 08, 2025
In Response To ryanm2553848

First, thanks for the kind regards. And second: agh, you're right (about the API Manager needing both the other related services). My bad. The reason they are optional is if instead one were going to install either (or both) on a server OTHER than that where the API Manager service itself was being installed.

 

To that point, one slight possibility for you to consider would be if you might be allowed to install the Analytics service on a machine other than one where your folks are so concerned about this remaining log4j issue. It could be "offline" relative to the public internet (incoming and outgoing traffic): it would only need to allow traffic into it and back to the API Manager on the current server. But I appreciate that may seem merely "rearranging deck chairs on the titanic" (though I don't think it's quite as dire as when that anaology is usually used).  

 

As for your attempt to swap out versions, I suppose you mean of hte log4j jars. Well, asking if you might clarify what you did precisely, I'll note that there's a difference in swapping out to "the very latest" log4j jars and swapping out to something "at least more updated than what it came with", which may well predate the whole log4j debacle form Christmas 2021. Also, do beware that when you say you "swap out" some jar, do beware that you can't just leave the old jars in place, renamed: Java doesn't care at all what a file is NAMED. If it's a jar, alongside others that can be loaded (meaning "in the classpath"), then Java can and will look at that jar file to see if it has the classes being loaded at a point in time.

 

All that said, this is something it would be best for Adobe to resolve (or ofrer a workaround). Before you give up, try emailing them directly at cfinstal@adobe.com. Sometimes they may have a solution they offer there but not here (mostly because the people there generally don't participate here, which is more community members helping each others--with Adobe popping in about 10% of the time.)

 

If you DO somehow get some other news andor resolution from such a direct email exchange, I sure hope you will pop back in here yourself to let folks know how it worked out. 


/Charlie (troubleshooter, carehart. org)
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Apr 09, 2025 Apr 09, 2025

Suggestion: submit a Feature Request in Adobe Tracker, asking the ColdFusion team to upgrade the log4j libraries. It would help to substatiate your request with:

 

(1) a list of the libraries that require an upgrade;

(2) an account of the difficulties that the old libraries are causing you and your team. 

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ryanm2553848
Community Beginner ,
Apr 14, 2025 Apr 14, 2025

For anyone fighting security scans and compliance

I ended up using reload4j jar as a replacement 
https://reload4j.qos.ch/

Not perfect but has all the classes so the analytic service will start, they updated to handle the vulns and the scanners will not see log4j 1.2.17. So everyone is happy.

Submitted request for update


Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Apr 14, 2025 Apr 14, 2025
In Response To ryanm2553848

@ryanm2553848 , Thanks for the update.

It might not be enough to do just the reload4j replacement. Though that passes the security check, it might lead to application errors. 

 

I shall give you an example to illustrate. ColdFusion 2023 includes these 2 Jars:

  • slf4j-api-1.7.12.jar
  • slf4j-log4j12-1.7.12.jar

 

ColdFusion 2025 contains the updated versions, which are, respectively,

  • slf4j-api.jar
  • slf4j-reload4j.jar

 

So, my suggestion is for you to contact the Adobe ColdFusion support team (cfsup[at]adobe.com) for advice on which Jars to use.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ryanm2553848
Community Beginner ,
Apr 14, 2025 Apr 14, 2025
In Response To BKBK

I referring specifically to the log4j file found here. This is with the latest Coldfusion 2025 API manager. They are still using an old version of elastic search. This is for all version 2021,2023 and 2025
"C:\ColdFusion2025APIManager\database\analytics\lib\log4j-1.2.17.jar"

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
BKBK Community Expert
Community Expert ,
Apr 14, 2025 Apr 14, 2025
LATEST
In Response To ryanm2553848

Thanks for clarifying. I am surprised that ColdFusion 2025's API Manager is still using the outdated log4j-1.2.17.jar. Reload4j (for example, reload4j-1.2.26.jar) would indeed be an appropriate "drop-in".

 

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices