cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

ColdFusion2018 Update 15 New Log4j issue

blckburn77
New Here ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

As of December 2, 2022, Tenable security scans are once again flagging ColdFusion with a Critical vulnerability, identifying the latest CF Update 15 (that we applied two weeks ago).  States we had previously mitigated this issue, but is back.   Has anyone else seen a vulnerability scan (of any level) identifying cf-logging,jar   as using v. 1.2.15.  (A logging library running on the remote host is no longer supported.).

 

Identifies:

[drive]:\ColdFusion2018\[cfinstance]\hf-updates\hf-2018-00015-330106\backup\lib\cf-logging.jar

 

I can only find posts about this vulnerability in posts from Jan 2022, where Adobe says they checked and they "weren't vulnerable"

 

I'm concerned because it is flagged as Critical and security teams will expect this to be mitigated.

 

 

 

Views

281

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 4 Replies 4
latest latest Jump to latest reply
RaviShankar Chagnur Adobe Employee
Adobe Employee ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

Hello BlckBurn,

We have taken care of the issue in the ColdFusion latest updates, and you can ignore the alerts safely 

You can remove the cf-logging.jar file from the backup location, i.e from the below location;

\ColdFusion2018\[cfinstance]\hf-updates\hf-2018-00015-330106\backup\lib\cf-logging.jar

 

Before applying the updates ColdFusion will backup the files that will be modified so you can remove the file from the backup directory

Regarding the version update of cf-logging.jar, we are planning to update the version in the new ColdFusion release, and based on that, we will be applying the changes to the existing ColdFusion version through the new updates post the release of the new version of Coldfusion

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
blckburn77
New Here ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

In Response To RaviShankar Chagnur

Understood.  Thank you for the update.  Will look forward to this finally being wrapped up in the next update.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
RaviShankar Chagnur Adobe Employee
Adobe Employee ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

In Response To blckburn77

Hello Blckburn,

 

Not in the next update of the ColdFusion, It will be taken care of in the next ColdFusion release, i.e Coldfusion 2023; once the new version is released, it will be tested on the existing Coldfusion versions and will be fixed in the later updates of Coldfusion post the new Coldfusion 2023 release

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
blckburn77
New Here ,
Dec 02, 2022 Dec 02, 2022

Copy link to clipboard

Copied

LATEST
In Response To RaviShankar Chagnur

Understood.   Thank you for the clarification.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices