Log4j 1.2.15 vulnerabilities in ColdFusion

Adobe ColdFusion uses Log4j for internal logging functionality. One instance which we use is log4j-1.2.15. Since the current state of log4j-1.x is EOL, and due to the number of vulnerabilities recently exposed in log4j due to Log4Shell, we went through all the vulnerabilities reported in log4j-1.x and 2.x to assess the exposure.

We are pleased to report that Adobe ColdFusion was not exposed to any of these vulnerabilities in log4j-1.x. 

Although most of the vulnerabilities reported did not impact log4j-1.x, due to the growing concerns over Log4j vulnerabilities, we have mitigated the applicable vulnerabilities in log4j-1.2.15, which ColdFusion uses, as part of the recent security updates, listed below:

The table lists vulnerabilities and the severity of each that we had analyzed.

Vulnerability

Severity

High

High

Critical

Moderate

Moderate

Moderate

Low

Note: We have already covered the exposure for log4j-2.x instances which has been issued in the security bulletin.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online