UPDATE RELEASED: ColdFusion security updates for Log4j vulnerability

Hi @bloodbanker 

CF updates are cumulative and you can skip update 2. You can install update 3 directly. 

Note: 1. Take the backup of entire CF before you apply the update. 

          2. You may encounter the QoQ error, after you apply the update 3. Here you can download the QoQ patch and copy this jar in \ColdFusion2021\cfusion\lib\updates folder and restart CF.

Patch link - Click here

Thank you @Priyank Shrivastava.

I have already installed Version 2 as stated above.  Now Version 3 is no longer listed, even after clicking Check for Updates.

Ravi with Adobe called me yesterday and walked me through a manual update.  We first removed Update 2, then he sent me a link for Update 3.  Seems it's not available for download anymore.

Anyhow, my site is patched.

Bloodbanker, while it's great that your problem is now solved, you conclude that update 3 seems "not available for download anymore". Update is absolutely available for download. Let me offer some info to help you (or anyone else who may ever experience this).

It sure seems that whatever you're seeing (now and in your previous comments) must be an environment issue for you. (And to be clear, the update was available as soon as I saw your comment, right after you offered it here about an hour ago. It took me time to gather up the info below, but I offer it to help anyone else who may ever see what you do.)

1) First, can you clarify what you mean when you say it's unavaialble for download? Do you  mean via some URL you're using? or in the CF Admin? As for the latter, do you mean you've gone to the "Package Manager" button on the left, and its primary "Packages" page, and its "Available Versions" drop-down at the bottom of the "core server" info? You don't see it listing "ColdFusion 2021 Update 3"? And you do have internet access on the machine running CF?

2) If that's where you "don't see it available", can you go to the "Settings" tab (at the top of that "Package Manager"), and tell us what you have for the "site url" value of its "Update site" setting? By default it should be:

https://www.adobe.com/go/coldfusion-updates

Note that if you or anyone had perhaps changed that to another value, maybe in the past for some other reason, that may be why you feel it's "not available for download". And note that there is a "Restore Default URL" button next to the field, which would reset it to the above value.

3) And FWIW, that URL redirects to:

https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml

And that offers a link to the actual update 3 jar:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/updates/hotfix-003-329779.jar

If you may be able to go to a browser on the server (or do a commandline wget or curl), is THAT able to reach either of those URLs? 

4) And it's that last jar which the admin update UI executes when you apply an update, and until the technote for update 1, the process of manually implementing the JAR also offered a link to that jar, and told us to run the java -jar command against that.

Since update 2, the technotes (such as that for update 3) discusses how instead one can download a zip, which includes all 3 hotfix jars, and ALL the packages/modules which can be implemented by the update mechanism or cfpm--indeed all the different versions of those packages, so the zip is sizable and will get larger each release).

So anyway, with that background out of the way, can you confirm if you still somehow see that "update 3 is not available anymore"? And if you still feel that's so, can you elaborate on what you're seeing, compared to what I share above?

Installation Instructions are not good as these should be, there is not any proper pattern for installation. Many users are facing installation issues.

I hear your concerns but I don't think it's quite so confusing. Let me see if I can help:

• The point in step 2 is that the "the following jars" are those that DO exist in the api manager lib folder. You are told to move those (don't just rename them). The zip in the offered download has files to REPLACE each of those.
• The checksum is that of the zip. Adobe offers it for those who like to make sure that any download the are told to get does have a matching checksum. This one does.
• When step 3 says, "copy the jars from the links below", that is indeed clearly a mistake. It should have said "above". I hope Adobe may fix that. But once you understand the above two points, the mistake seems more obvious
• As for step 5, you are letting your eyes fool you. The values are NOT "the same":
  • -Dlog4j.configurationFile=file://{apim_home}/conf/log4j2.xml

  • -Dlog4j.configurationFile=file:///{apim_home}/conf/log4j2.xml

  • How do they differ? the second has 3 slashes. The implication seems to be that the original specification of this file path/protocol indicator was mistaken. As for the reference to 3 slashes in that log4j config property, I will point out that I see that the slashes are used with both Windows and Linux path references in this doc page from the Apache org on such file specifications. And that page is pointed to by association from a reference on the log4j docs on these manual config properties.

Hope that all makes sense now.  I'm just a fellow traveler trying to make sense of what we see in these resources. I have nothing to do with the docs or their creation.

Thanks Charlie! I actually had it all figured out except that single slash difference in step 5 kept throwing me off no matter how many times I looked at it which made me think I was not understanding the steps above.

Can you clarify what CF update you were on BEFORE u13? And are you confirming you also did not change the JVM version that CF uses, nor anything else?

Charlie,

We were on u4 due to slowness of MURA. Updated to 8 and then 13. JVM version was not changed. Changed worker.properties to include the secret.

This is fixed. Tomcat authentication was mistakenly set to true, after it was changed to false, windows authentication started working.

So to be clear, we'll assume you're confirming now that this Tomcaut auth setting change was done by someone there in your org, not something you feel was done by the update? (Recall you had said the app "was working fine before update 13.")

Maybe what you mean is that this Tomcat change had been done BEFORE the CF update, and its restart of CF, such that that Tomcat change (you or someone there made) just had not taken effect UNTIL that CF restart.

The change was done by us after u8 was installed and the secret changes didn't seem to work. We forgot to change it back when it started working.

Nothing yet that I've heard of. My presumption is that we're awaiting update 14 for cf2018 and update 4 for cf2021. I've not heard of any workaround, other than that if you're not using the CF add-on services feature, to just uninstall it. 

This is not at all "the latest update". This is from 27 months ago. There have been two more updates to each of cf2021 and cf2018 since then, the last being in October. If you apply that, or the one between them from May of 2022, you will get all the log4j updates at once.

This post was about the initial response(s) to the log4j vuln.

As for what it's "major points" are, we only have the info offered. If you might mean instead what are the DETAILS (what specific files were changed), we were not given that.

But again, see my first point: yiub should not be stopping at this update from Dec 2021. The updates are cumulative, so go to the May 2022 or Dec 2022 update. See the link above that offers a page for each release and all its updates.