We are pleased to announce that we have released the updates for the following ColdFusion versions:
After applying the update, all Log4j 2.x-related jars will be upgraded to version 2.16.0.
Update Jan 11 2022: To address the vulnerabilities later found in log4j 2.17, those who have applied the most recent update can now implement the log4j 2.17.1 updates, as provided along with instructions here:
Update Dec 21: To address the vulnerabilities later found in log4j 2.16, those who have applied the most recent update can now implement the log4j 2.17 updates, as provided along with instructions here:
If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.
Download these updates from:
Please update your ColdFusion versions and provide us your valuable feedback.
I am on 2021.
I saw in my updates that I had Update 2 and Update 3 available. I assumed I needed to install 2, then 3. The installation of 2 went smoothly; however, I no longer see update 3 in the Available Versions list. I clicked Check for Updates (several times).
Will version 3 show up at some point?
CF updates are cumulative and you can skip update 2. You can install update 3 directly.
Note: 1. Take the backup of entire CF before you apply the update.
2. You may encounter the QoQ error, after you apply the update 3. Here you can download the QoQ patch and copy this jar in \ColdFusion2021\cfusion\lib\updates folder and restart CF.
Patch link - Click here
Ravi with Adobe called me yesterday and walked me through a manual update. We first removed Update 2, then he sent me a link for Update 3. Seems it's not available for download anymore.
Anyhow, my site is patched.
Bloodbanker, while it's great that your problem is now solved, you conclude that update 3 seems "not available for download anymore". Update is absolutely available for download. Let me offer some info to help you (or anyone else who may ever experience this).
It sure seems that whatever you're seeing (now and in your previous comments) must be an environment issue for you. (And to be clear, the update was available as soon as I saw your comment, right after you offered it here about an hour ago. It took me time to gather up the info below, but I offer it to help anyone else who may ever see what you do.)
1) First, can you clarify what you mean when you say it's unavaialble for download? Do you mean via some URL you're using? or in the CF Admin? As for the latter, do you mean you've gone to the "Package Manager" button on the left, and its primary "Packages" page, and its "Available Versions" drop-down at the bottom of the "core server" info? You don't see it listing "ColdFusion 2021 Update 3"? And you do have internet access on the machine running CF?
2) If that's where you "don't see it available", can you go to the "Settings" tab (at the top of that "Package Manager"), and tell us what you have for the "site url" value of its "Update site" setting? By default it should be:
Note that if you or anyone had perhaps changed that to another value, maybe in the past for some other reason, that may be why you feel it's "not available for download". And note that there is a "Restore Default URL" button next to the field, which would reset it to the above value.
3) And FWIW, that URL redirects to:
And that offers a link to the actual update 3 jar:
If you may be able to go to a browser on the server (or do a commandline wget or curl), is THAT able to reach either of those URLs?
4) And it's that last jar which the admin update UI executes when you apply an update, and until the technote for update 1, the process of manually implementing the JAR also offered a link to that jar, and told us to run the java -jar command against that.
Since update 2, the technotes (such as that for update 3) discusses how instead one can download a zip, which includes all 3 hotfix jars, and ALL the packages/modules which can be implemented by the update mechanism or cfpm--indeed all the different versions of those packages, so the zip is sizable and will get larger each release).
So anyway, with that background out of the way, can you confirm if you still somehow see that "update 3 is not available anymore"? And if you still feel that's so, can you elaborate on what you're seeing, compared to what I share above?
I am trying to follow the instruction on updating the API manager per the following link:
Unfortunately, the instructions are not very good. My specific concerns are:
Step 2- I can move the files and download the 2.16.0 files but then it lists the 2.3 files with a checksum which makes me wonder why those files are listed since they are not in the zip.
Step 3 - Says "copy the jars from the links below…" but there are no links "below".
Step 5 - It makes no sense to "change" something to the same value it already is.
Overall, I suspect I just need a hotfix jar file that I can install in the API manager folder similar to what was done for the API Performance Monitoriing Toolset as described at https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-performance-monitoring-toolset-update-4.html
I hear your concerns but I don't think it's quite so confusing. Let me see if I can help:
Hope that all makes sense now. I'm just a fellow traveler trying to make sense of what we see in these resources. I have nothing to do with the docs or their creation.
Thanks Charlie! I actually had it all figured out except that single slash difference in step 5 kept throwing me off no matter how many times I looked at it which made me think I was not understanding the steps above.
We updated to 13 on 2018 yesterday. Everything is working except for windows authentication- for applications that have been set up for windows authentication cgi.auth_user is not getting populated. Is there any explaination or fix for this?
This was working fine before update 13.
Can you clarify what CF update you were on BEFORE u13? And are you confirming you also did not change the JVM version that CF uses, nor anything else?
We were on u4 due to slowness of MURA. Updated to 8 and then 13. JVM version was not changed. Changed worker.properties to include the secret.
This is fixed. Tomcat authentication was mistakenly set to true, after it was changed to false, windows authentication started working.
So to be clear, we'll assume you're confirming now that this Tomcaut auth setting change was done by someone there in your org, not something you feel was done by the update? (Recall you had said the app "was working fine before update 13.")
Maybe what you mean is that this Tomcat change had been done BEFORE the CF update, and its restart of CF, such that that Tomcat change (you or someone there made) just had not taken effect UNTIL that CF restart.
The change was done by us after u8 was installed and the secret changes didn't seem to work. We forgot to change it back when it started working.
Copy link to clipboard
For folks following this post, note that as of Jan 11 (2022) Adobe has come out with a technote offering log4j 2.17.1 jars, addressing a vulnerability in the 2.16 jars that the log4j team had found (and for which Adobe had offered updated jars on Dec 21).
To be clear, these 2.17.1 jars are meant to be added to a CF2021 or 2018 implementation where the update for those (released on Dec 17) had been applied.
Here's the technote with the info on updating to the 2.17.1 jars:
Has anything been done to address the Log4j issue with Add-on Services? May the Log4j 2.17.1 updates be used for Add-on Services? If so, what would hte process be to swap the files?
Nothing yet that I've heard of. My presumption is that we're awaiting update 14 for cf2018 and update 4 for cf2021. I've not heard of any workaround, other than that if you're not using the CF add-on services feature, to just uninstall it.