Copy link to clipboard
Copied
we are using CF2016 which uses log4j 1.2.15 and 1.2.17 versions. I would like to confirm whether the upgrade of Log4j jar to 2.17 version is still required. Also if we upgrade the jar file to 2.17 will that be compatible with CF2016.
Copy link to clipboard
Copied
No, I don't think you have to upgrade from log4j 1.2.x to log4j 2.17. The upgrade to log4j 2.17 is intended for log4j versions 2.x, where x ranges from 9 to 16.
But you don't have to take my word for it. To set your mind at ease, go to the following page and scroll to the section on ColdFusion 2016: https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html. There you will read, "ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted." 🙂
Copy link to clipboard
Copied
This is fine and good, but network scanners are now detecting Log4j 1.x as vulnerable, requiring an update to Log4j 2.17 or newer. Is there anything that can be done with ColdFusion 2016?....
Copy link to clipboard
Copied
Mail your question to Adobe: cfinstal|at|adobe.com
Copy link to clipboard
Copied
Yeah....I did and was told that there is no longer support for ColdFusion 2016. While I understand, at the same time, it's greatly frustrating....
Copy link to clipboard
Copied
Yeah....I did and was told that there is no longer support for ColdFusion 2016. While I understand, at the same time, it's greatly frustrating....
By @neowire
I can understand your frustration.
Anyway, there is a point to be made here. As you're concerned about security, you should upgrade to a supported ColdFusion version. If you continue using an unsupported version (CF2016), you will be responsible for any security problems that emerge.
Copy link to clipboard
Copied
I am doing what I can to move on to a supported version....I am not in charge of funds and there are numerous roadblocks in approval processes for installing software in the environment that I am in....Otherwise, we already would be there....