Log4j vulnerability on CF 2016

Report · Dec 26, 2021

we are using CF2016 which uses log4j 1.2.15 and 1.2.17 versions. I would like to confirm whether the upgrade of Log4j jar to 2.17 version is still required. Also if we upgrade the jar file to 2.17 will that be compatible with CF2016.

Report · Dec 27, 2021

No, I don't think you have to upgrade from log4j 1.2.x to log4j 2.17. The upgrade to log4j 2.17 is intended for log4j versions 2.x, where x ranges from 9 to 16.

But you don't have to take my word for it. To set your mind at ease, go to the following page and scroll to the section on ColdFusion 2016: https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html. There you will read, "ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted." 🙂

Report · Dec 29, 2021

This is fine and good, but network scanners are now detecting Log4j 1.x as vulnerable, requiring an update to Log4j 2.17 or newer. Is there anything that can be done with ColdFusion 2016?....

Report · Dec 29, 2021

Mail your question to Adobe: cfinstal|at|adobe.com

Report · Dec 30, 2021

Yeah....I did and was told that there is no longer support for ColdFusion 2016. While I understand, at the same time, it's greatly frustrating....

Report · Dec 31, 2021

Yeah....I did and was told that there is no longer support for ColdFusion 2016. While I understand, at the same time, it's greatly frustrating....

By @neowire

I can understand your frustration.

Anyway, there is a point to be made here. As you're concerned about security, you should upgrade to a supported ColdFusion version. If you continue using an unsupported version (CF2016), you will be responsible for any security problems that emerge.

Report · Jan 04, 2022

I am doing what I can to move on to a supported version....I am not in charge of funds and there are numerous roadblocks in approval processes for installing software in the environment that I am in....Otherwise, we already would be there....