Log4j vulnerability on ColdFusion 2018

Report · Dec 02, 2024

Dear all,

I'm trying to solve the vulnerability in object, following the guide at Log4j vulnerability on ColdFusion (adobe.com), but there are step not clear to me (in red my doubts):

ColdFusion (2018 release)

ColdFusion 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted.

Stop the server.

Navigate to the directory <cf_root>\<Instance_name>\bin.

Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.

Done

Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed.

Removed? I didn't remove anything until now. And copy where?

The new file can be downloaded from here. If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip this step.

If I find it... if not found... Where do I need to look for rit?

The temporary location must be outside ColdFusion's lib directory or classpath, in general. You can place it outside ColdFusion's root directory.

If you are using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath as mentioned below, otherwise skip this step:

If the Operating System is Windows, then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number that you found in the folder. In the LIB folder I found the log4j-core-2.13.3 version, Do I need to open it and remove the jndiLookup.class file? And after re-zip and put the library again in the lib folder? Why did I downloaded the log4j-core-2.9.0.jar?

2. If the Operating Systems is non-Windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class". X is the version number that you found in the folder.

Restart the instance and delete log4j-core-2.9.0.jar from the temporary location.

Repeat the procedure for all other instances.

Thanks for the support

Report · Dec 02, 2024

Newbye, first, just ignore all that's on that post. It was among the first of many responses as Adobe and the rest of the IT world scrambled to address the "log4j vulnerability", which was like IT's version of Covid, that ruined many a holiday season in Dec 2021.

First, you haven't said what cf 2018 update you're on: if you're on its update 14 or above, you're done. What you're referring to is from before update 13--and there was yet another technote like it after that (both mentioned in the technote for u13--but none of that's needed once you're on 14 or later.

Second, since you're on cf2018 (and expressing concerns over vulnerabilities), this is a bit like rearranging deck chairs on the Titanic. As you may know, cf versions stop getting updates (including security fixes) after 5 years. It's now been 20 months since cf2018 got its last.

I appreciate that some don't move to newer versions because of licensing cost, migration effort, or a planned move off of cf. On the last, I can say those often never happen despite high hopes. On the migration effort, I can offer that I have a talk on the topic covering migration to cf2023 (or 21, still supported) covering migration from all previous versions since 9.

Finally, on the matter of licensing cost, I can help there also, with news of a special upgrade discount for those on cf2018 or earlier, good only through the end of the year. As you may know, while Adobe offers a 50% upgrade discount to the new version from the previous one, that would only help those now on cf2021 to get to 2023.

But until the end of December, the fine folks behind FusionReactor (who are also cf resellers) are offer a 25% discount off an upgrade to 2023 for those on cf2018 or earlier. That's a savings of about US$600 on CF Standard and US$2500 on Cf Enterprise. More in a blog post of mine.

Let us know of any of the above help you, especially the first point.

/Charlie (troubleshooter, carehart.org)

Report · Dec 02, 2024

Right at the top, there's a section that points you to two CF update pages. You'll need to use the appropriate update for your CF version. That'll fix your immediate problem.

Out of curiosity, how did you find this KB article? The relevant updates have been listed since 21 December 2021. That's a long time ago.

Updates listed on Log4j vulnerability KB article

Dave Watts, Eidolon LLC

Report · Dec 02, 2024

Or still better, the update AFTER what's listed there, which is update 14 for newbye in cf2018.

(Dave, I'm assuming you replied without seeing my earlier reply. You're not wrong in what you say, but someone seeing this shouldn't not stop at what was then the next update when that technote was written and then initially updated.)

/Charlie (troubleshooter, carehart.org)

Report · Dec 03, 2024

Thanks to everyone for the support!

In the end, I updated the ColdFusion version to the update14, and the vulnerability seems to be solved.

Really appreciated,

best regards.

Report · Dec 03, 2024

Thanks for the update. And to help save future readers time in assessing the question and its replies, could you please use the "correct answer" option on the reply which initially communicated that solution to you?

/Charlie (troubleshooter, carehart.org)

Log4j vulnerability on ColdFusion 2018

ColdFusion (2018 release)

1 Correct answer