Log4j 1.2.15 vulnerabilities in ColdFusion

Adobe ColdFusion uses Log4j for internal logging functionality. One instance which we use is log4j-1.2.15. Since the current state of log4j-1.x is EOL, and due to the number of vulnerabilities recently exposed in log4j due to Log4Shell, we went through all the vulnerabilities reported in log4j-1.x and 2.x to assess the exposure.

We are pleased to report that Adobe ColdFusion was not exposed to any of these vulnerabilities in log4j-1.x. 

Although most of the vulnerabilities reported did not impact log4j-1.x, due to the growing concerns over Log4j vulnerabilities, we have mitigated the applicable vulnerabilities in log4j-1.2.15, which ColdFusion uses, as part of the recent security updates, listed below:

The table lists vulnerabilities and the severity of each that we had analyzed.

Vulnerability

Severity

High

High

Critical

Moderate

Moderate

Moderate

Low

Note: We have already covered the exposure for log4j-2.x instances which has been issued in the security bulletin.

Adobe-logo

Kirjaudu sisään tiliisi