ColdFusion (2018 release) Update 13
In ColdFusion, there is no known attack vector that exposes the Log4j exploit.
If you are applying Update 13 without applying Update 8, follow the Post Installation steps mentioned for Update 8.
If you are updating via ColdFusion Administrator:
The minimum update versions are Update 4 or higher for ColdFusion (2018 release), due to a recent change in code signing certificate.
These are mandatory pre-requisites before updating.
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2018 release) Updates.
After applying the update, all log 4j 2.x-related jars will be upgraded to version 2.16.0.
If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.
Windows: <cf_root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-013-329786.jar
Linux-based platforms: <cf_root>/jre/bin/java -jar <jar-file-dir>/hotfix-013-329786.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .
For further details on how to manually update the application, see the help article.
After applying this update, the ColdFusion build number should be 2018,0,13,329786.
Post installation, we recommend rebuilding or reconfiguring your connector.
If you see Error 503 or Error 403 when firing up your websites, see the troubleshooting steps.
To uninstall the update, perform one of the following:
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following: