Apply the latest ColdFusion update.
Apply the steps in this tech-note after installing the latest updates 2018 (Update 13) and 2021 (Update 3) that were released on 17 Dec 2021
Overview
There are a couple of vulnerabilities that have been reported in Log4j CVE-2021-44228 (LogShell) and CVE-2021-45046, which is a popular library. Adobe ColdFusion uses these libraries.
Adobe released updates for 2018 (Update 13) and 2021 (Update 3) to address these vulnerabilities on 17 Dec, 2021.
A new vulnerability CVE-2021-45105 was reported on 18th Dec 2021, which Apache addressed by releasing a newer version of Log4j (2.17.0). Even though Adobe ColdFusion uses this library, we did not find any exploitable attack vector or mechanism with Adobe ColdFusion.
As a best practice, we recommend that you upgrade the Log4j2 libraries to version 2.17.0.
Note: The zip packages all the updated jars for ColdFusion, Performance Monitoring Toolset, and API Manager.
ColdFusion (2021 release) and (2018 release)
-
Navigate to the directory <cf_root>\<cf_instance>\lib.
Remove the following jars:
- log4j-core-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-to-slf4j-2.16.0.jar
and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
- log4j-core-2.17.0.jar,
- log4j-api-2.17.0.jar
- log4j-to-slf4j-2.17.0.jar
- log4j-core-2.16.0.jar
Performance Monitoring Toolset 2021 and 2018
-
Remove the following jars:
- log4j-core-2.16.0.jar
- log4j-api-2.16.0.jar
and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
- log4j-core-2.17.0.jar,
- log4j-api-2.17.0.jar
- log4j-core-2.16.0.jar
-
Remove the following jars:
- log4j-core-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-1.2-api-2.16.0.jar
and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
- log4j-core-2.17.0.jar
- log4j-api-2.17.0.jar
- log4j-1.2-api-2.17.0.jar
- log4j-core-2.16.0.jar
API Manager 2021, 2018, and 2016
-
To apply the latest update, follow the instructions in ColdFusion API Manager updates.
-
Remove the following jars:
- log4j-core-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-slf4j-2.16.0.jar
- log4j-jul-2.16.0.jar
and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
- log4j-core-2.17.0.jar,
- log4j-api-2.17.0.jar
- log4j-slf4j-impl-2.17.0.jar
- log4j-jul-2.17.0.jar
- log4j-core-2.16.0.jar