ColdFusion (2021 release) Update 3
In ColdFusion, there is no known attack vector that exposes the Log4j exploit.
If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.
UPDATE: After applying the December updates, you need to upgrade the Log4j 2.x jars to Log4j 2.17 jars. For more information, see this document.
We are aware of scanners flagging cf-logging.jar as vulnerable. After analyzing the vulnerability, we are confident that ColdFusion installation is safe from any possible attack vectors. Nevertheless, we will be removing the vulnerable classes in the upcoming release.
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated the the latest update.
All installed packages also get updated.
Restart ColdFusion for the changes to take effect.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .
For further details on how to manually update the application, see the help article.
Updating the core package updates all the packages that were downloaded. Also, updating any package updates the core and rest of the packages. If ColdFusion (2021 release) is on Update 1, installing Update 3 via the admin of any instance updates the core for all other instances present.
Similarly, uninstalling the update from the same instance uninstalls the updates from instances that were updated together.
If you've created a mapping of the cf_scripts folder, you must copy the contents of the downloaded zip into CF_SCRIPTS/scrips/ajax folder to download the ajax package.
After applying this update, the ColdFusion build number should be 2021.0.03.329779.
To uninstall the update, perform one of the following:
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following: