To be clear, the jetty folder is about the cf add-on service (not monitoring), which is the solr or pdfg/cfhtmltopdf feature.
There are no documented mitigation steps. One could uninstall the cf add-on service if you're not using it. One could even just yank the log4j jar, if you wanted to just stop the add-on service without installing it.
We can hope that some future update (perhaps coming even this month) will address this more appropriately.
BTW, Ripley, the jetty aspect related to monitoring is yet ANOTHER jetty that Cf has had, starting back in cf9, which was about offering a separate port and web server through which to access the enterprise server monitor. It has its own jetty.xml config file in the cfusion/lib folder, which relies on a jetty jar in that folder. That is NOT the cfusion/jetty folder, added starting in cf11 (if one enabled the add-on service at cf install), which is the focus of the log4j concern in this thread. It can get confusing!
Hope that's helpful.
... View more
AdChoices