ColdFusion (2021 release) Performance Monitoring Toolset Update 3 (release date, 17 December, 2021) addresses vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046.
After applying the update, all log 4j 2.x-related jars will be upgraded to version 2.16.0.
If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.
Note: On 64-bit computers, use 64-bit JRE for 64-bit Performance Monitoring Toolset.
If the Performance Monitoring Toolset server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config, or provide the proxy settings in Performance Monitoring Toolset dashboard (Settings > Updates > Settings)
Note: On Windows, you must stop the Datastore service before installing the update and follow the manual steps in the next section to apply the update.
For non-Wondows, the update can be installed through the PMT dashboard or command-line.
If you get the following error when installing the update using the Download or Download and Install option, ensure that the folder {pmt_install_home}/hf-updates has write permission: "Error occurred while installing PMT update. Please try again."
The backup is located at {pmt_install_home}/hf-updates/hf-2021-00003-329792/backup.
Windows: <pmt_install_home>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-003-329792.jar
Linux-based platforms: <pmt_install_home>/jre/bin/java -jar <jar-file-dir>/hotfix-003-329792.jar
Ensure that the JRE bundled with Performance Monitoring Toolset is used for executing the downloaded JAR.
Install the update from a user account that has permissions to restart Performance Monitoring Toolset and Datastore services.
Move the following jars from {pmt-addons-home}/datastore/lib to any backup location outside the PMT home.
Then download the jars from the location of the jars, checksum: a0047aa8c1eab7e1936ea2d36d1236f3, and copy the jars in {pmt-addons-home}/datastore/lib.
Restart the Datastore.
Note: Windows only.
After installation, update the jvm.config file with the following change. Rename:
Dlog4j.configurationFile="file://C:\pmt_home\config\log4j2.xml" to -Dlog4j.configurationFile=file:///C:\pmt_home\config\log4j2.xml
After applying this update, the ColdFusion Performance Monitoring Toolset build number should be 2021,0,03,329792.
Before uninstalling on Windows, stop the Datastore service.
To uninstall the update, perform one of the following:
Log ind på din konto