Adobe ColdFusion uses Log4j for internal logging functionality. One instance which we use is log4j-1.2.15. Since the current state of log4j-1.x is EOL, and due to the number of vulnerabilities recently exposed in log4j due to Log4Shell, we went through all the vulnerabilities reported in log4j-1.x and 2.x to assess the exposure.
We are pleased to report that Adobe ColdFusion was not exposed to any of these vulnerabilities in log4j-1.x.
Although most of the vulnerabilities reported did not impact log4j-1.x, due to the growing concerns over Log4j vulnerabilities, we have mitigated the applicable vulnerabilities in log4j-1.2.15, which ColdFusion uses, as part of the recent security updates, listed below:
The table lists vulnerabilities and the severity of each that we had analyzed.
Note: We have already covered the exposure for log4j-2.x instances which has been issued in the security bulletin.