Last year the Log4J vulnerability called for the addition of the JVM argument -Dlog4j2.formatMsgNoLookups=true in CF2018 and CF2021. Does anyone know if this JVM argument is still needed/recommended/valid in ColdFusion 2023?
My understanding is, "no".
First, the issue is from Dec 2021 rather than "last year", which proves important as I will show. 🙂
Second, that jvm arg was just the very first recommendation from Adobe that month, Dec 14 in fact. Then they came out with an update a week later, on Dec 21. And that was just the first of a couple which would evolve to address this and negate the need for the arg, by removing the affected log4j2 jars.
Finally and most important, cf2023 came out in May 2023, and it had incorporated all the known updates regarding log4j by then.
More than that, it did NOT implement that jvm arg out of the box. (some may see it, but that would be because they imported settings from a prior cf release that had it). And FWIW there have been 12 updates to that since then, and none of them have implemented that arg for us.
If it may help, here are resources from me and from Adobe, discussing the changes over time regarding the log4j issue as it evolved back then in late 2021/early 2022:
That's all in the rear view mirror for those on cf2023 and beyond.
Hope that suits in answer to your question. I'm open to corrections, of course.
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
AdChoices