Copy link to clipboard
Copied
Hello,
We are using ColdFusion 2016 for our production server and the following vulnerablity has been reported. Currently we are on ColdFusion 2016 Update 11.
In the below installation locations the log4j versions are log4j-1.2.15 and log4j-1.2.17.
Security team is asking us to upgrade to latest log4j version i.e., log4j-core-2.23.1. Could you please help us here to remediate these vulnerabilities?
C:\ColdFusion2016\cfusion\lib\log4j-1.2.15.jar
C:\ColdFusion2016\cfusion\hf-updates\hf-2016-00011-314546\backup\jetty\lib\ext\log4j-1.2.17.jar
C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\plugins\org.apache.log4j_1.2.15\lib\log4j-1.2.15.jar
C:\ColdFusion2016\cfusion\jetty\lib\ext\log4j-1.2.17.jar
Copy link to clipboard
Copied
I don't think you can just upgrade Log4j in CF 2016. Hopefully, if you can update Log4j in CF 2016, someone will pipe up and say that! There are updates for CF 2018 and 2023 available, along with mitigation steps if you can't apply the updates:
https://community.adobe.com/t5/coldfusion-discussions/update-released-coldfusion-security-updates-fo...
I would (a) set up Adobe's recommended mitigation steps, and (b) disable Jetty if you aren't using the add-on services which include Apache Solr among other things. For the third file reference in your list, it looks like it was installed by a different Adobe application other than ColdFusion and you can probably remove it safely.
Finally, I recommend moving to a supported version of CF if CF 2016 is no longer supported.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
Echoing Dave's sentiments, I'll clarify his last point. As he may have meant to say, it's not "if cf2016 is no longer supported", but rather "AS it is no longer supported". It got its last updates in mid-2021, 5 years after it came out, which is Adobe's policy with all CF versions.
And that was also BEFORE the log4j blowup in Dec 2021 (a Christmas season ruined for many of us).
And while Adobe updated cf2021 and 2018 that month and in months to come, they did NOT offer any update for cf2016. It was not only because updates had ended for it, but a the time they confirmed it did not use the vulnerable log4j version but rather an older one. See this technote on the matter from that time.
Of course, being on an older log4j also meant that was a version which the log4j community itself no longer supported. And that's indeed its own issue, as you're now finding (and was soon acknowledged by many back then).
But there was never any solution offered by Adobe (that I know of) which addressed how a cf2016 server could be updated to a later, supported log4j removing all known vulns.
For that, your only option will be to upgrade to CF2023. Adobe doesn't sell cf2021 or earlier. I know that's not what some want to hear, but it is what it is.
Here's good news on that front, though: I posted just this week a blog entry on a special deal to get cf2023 at 25% off for those on cf2018, 2016, or earlier, good through September. I also offer their links to my presentations on migrating to cf2023 from each previous version back to 9. See https://www.carehart.org/blog/client/index.cfm/2024/7/8/limited_time_upgrade_discount_to_CF2023_from...
I appreciate this will feel like someone throwing you a life preserver when your house is on fire. Or it's at least like someone saying "get out of the house", when instead you plan on staying as long as possible. Maybe someone else will have a better flame retardant for you, to really stretch the analogy. Or is it a simile? 🙂
Anyway, this is one more answer for you to consider.
Copy link to clipboard
Copied
@Charlie Arehart Thank you Charlie for your insights on this query. Yes before i post this query, i gone thru this technical note https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html . They mentioned that "ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted". Which means the two versions log4j-1.2.15 and log4j-1.2.17 are not vulnerable right?
Copy link to clipboard
Copied
It's not that simple. See my paragraph after I'd offered my link to that. Then please reread the rest. You're hoping to stay on 2016 and somehow be "set". That's a false hope.
It's also short-sighted to think log4j is all need to worry about, even if it's the only thing your security folks are complaining about or if as you say it's the only "vulnerablity [that] has been reported". I could get remote access to your machine right now, and even if it's an "intranet only" so could anyone on that network. The Adobe update for that in March of last year was offered only for the then-supported versions, cf2018, 2021, and 2023.
I have a blog post from then, my longest ever, that even shows how to patch that hole for cf2016 or earlier, because it was so serious. But that's just one of dozens of security fixes released in the 3 years after cf2016 stopped getting updates--and 5 years since its update 11 that you're on.
If this were the movie Titanic, you're like the ship's detective working on the theft of Rose's pendant, while the icebergs "right ahead", not to mention being in the freezing cold north Atlantic, at night, etc. Remember too that the captain ignored warnings because he felt he had a deadline to make.
I feel for your plight, and I've even offered rescue boats (other options). But you're "the captain now", to switch movie classics. 🙂
Copy link to clipboard
Copied
@Dave Watts Thank you Dave for the quick help.
Can you help with the steps to update Log4j in CF 2016. And what are the Adobe's recommended mitigation steps in this regrad?
Can you please also tell me how to disable Jetty? if i diasble it, then i can safely remove the 2nd and 4th file, right?
Copy link to clipboard
Copied
Like I wrote earlier, I don't think you can upgrade Log4j manually in CF. Adobe's recommended mitigation is "buy the latest version".
You can disable Jetty by stopping the Add-on Service.
Dave Watts, Eidolon LLC
Copy link to clipboard
Copied
I think your question can be answered in one sentence. It is Dave's
Let me explain.
The Log4J vulnerability is the least of your problems. You will see in the list of ColdFusion's Common Vulnerabilities and Exposures (CVE) that ColdFusion 2016 Update 11 has some more serious CVEs besides. Can you and your team fix them?
No. Neither will Adobe. As you can see in Adobe's End-of-Life Matrix, ColdFusion 2016 has long passed its end-of-life.
Share the information from both sites with your team. That should help in convincing the team to upgrade ColdFusion.