Stop the server.
There is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.
In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.
Even though Adobe ColdFusion uses this library, we did not find any exploitable attack vector or mechanism with Adobe ColdFusion.
ColdFusion 2021 ships with Log4j versions 2.13.3 and 1.2. The former is impacted by this vulnerability, while the latter is not.
If using any third-party libraries that use Log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If the Log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath like below, otherwise skip this step.
ColdFusion 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted.
Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed. The new file can be downloaded from here. If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip this step.
The temporary location must be outside ColdFusion's lib directory or classpath, in general. You can place it outside ColdFusion's root directory.
If you are using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath as mentioned below, otherwise skip this step:
ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted. If the installation has any third-party libraries that use Log4j2, follow the steps listed for third party libraries above for version 2018 or 2021.
Performance Monitoring Toolset 2021 ships with log4j 2.11.1 and log4j 2.3. Both versions are impacted.
Performance Monitoring Toolset 2018 ships with log4j 2.9.1 and log4j 2.3. Both versions are impacted.
API Manager 2021, 2018, and 2016 ship with log4j 2.3. This version is impacted.