ColdFusion API Manager updates

ColdFusion API Manager 2021, 2018, and 2016 hotfixes (17 December, 2021) address vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046.

After applying the update, all log 4j 2.x-related jars will be upgraded to version 2.16.0.

If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this fix.

Installation

Follow the steps below to replace the jars:

  1. Stop API Manager service.

  2. Move the following jars from <apim_root>/lib to any backup location outside the API Manager home. Download the jars from the location below:
    Checksum: a15eb5f22c5e9347bd25eb0903d35930
    • log4j-api-2.3.jar
    • log4j-core-2.3.jar
    • log4j-jul-2.3.jar
    • log4j-nosql-2.2.jar
    • log4j-slf4j-impl-2.3.jar
  3. Copy the jars from the links below into the directory apim_root/lib.

    Remarque :

    This step is applicable to API Manager core installed on Windows only.

  4. Back up jvm.config in apim_root/bin.

  5. Change:

    -Dlog4j.configurationFile=file://{apim_home}/conf/log4j2.xml

    to 

    -Dlog4j.configurationFile=file:///{apim_home}/conf/log4j2.xml.

  6. Restart API Manager.

Logo Adobe

Accéder à votre compte