• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

ColdFusion2018 Update 15 New Log4j issue

New Here ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

As of December 2, 2022, Tenable security scans are once again flagging ColdFusion with a Critical vulnerability, identifying the latest CF Update 15 (that we applied two weeks ago).  States we had previously mitigated this issue, but is back.   Has anyone else seen a vulnerability scan (of any level) identifying cf-logging,jar   as using v. 1.2.15.  (A logging library running on the remote host is no longer supported.).

 

Identifies:

[drive]:\ColdFusion2018\[cfinstance]\hf-updates\hf-2018-00015-330106\backup\lib\cf-logging.jar

 

I can only find posts about this vulnerability in posts from Jan 2022, where Adobe says they checked and they "weren't vulnerable"

 

I'm concerned because it is flagged as Critical and security teams will expect this to be mitigated.

 

 

 

Views

415

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

Hello BlckBurn,

We have taken care of the issue in the ColdFusion latest updates, and you can ignore the alerts safely 

You can remove the cf-logging.jar file from the backup location, i.e from the below location;

\ColdFusion2018\[cfinstance]\hf-updates\hf-2018-00015-330106\backup\lib\cf-logging.jar

 

Before applying the updates ColdFusion will backup the files that will be modified so you can remove the file from the backup directory

Regarding the version update of cf-logging.jar, we are planning to update the version in the new ColdFusion release, and based on that, we will be applying the changes to the existing ColdFusion version through the new updates post the release of the new version of Coldfusion

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

Understood.  Thank you for the update.  Will look forward to this finally being wrapped up in the next update.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

Hello Blckburn,

 

Not in the next update of the ColdFusion, It will be taken care of in the next ColdFusion release, i.e Coldfusion 2023; once the new version is released, it will be tested on the existing Coldfusion versions and will be fixed in the later updates of Coldfusion post the new Coldfusion 2023 release

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

Understood.   Thank you for the clarification.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 23, 2023 Oct 23, 2023

Copy link to clipboard

Copied

LATEST

So this will never be remediated in ColdFusion 2021?  

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation