Apply the latest ColdFusion update.
Apply the steps in this tech-note after installing the latest updates 2018 (Update 13) and 2021 (Update 3) that were released on 17 Dec 2021
There are a couple of vulnerabilities that have been reported in Log4j CVE-2021-44228 (LogShell) and CVE-2021-45046, which is a popular library. Adobe ColdFusion uses these libraries.
Adobe released updates for 2018 (Update 13) and 2021 (Update 3) to address these vulnerabilities on 17 Dec, 2021.
A new vulnerability CVE-2021-45105 was reported on 18th Dec 2021, which Apache addressed by releasing a newer version of Log4j (2.17.0). Even though Adobe ColdFusion uses this library, we did not find any exploitable attack vector or mechanism with Adobe ColdFusion.
As a best practice, we recommend that you upgrade the Log4j2 libraries to version 2.17.0.
Note: The zip packages all the updated jars for ColdFusion, Performance Monitoring Toolset, and API Manager.
Navigate to the directory <cf_root>\<cf_instance>\lib.
Remove the following jars:
and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
Remove the following jars:
and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
Remove the following jars:
and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
To apply the latest update, follow the instructions in ColdFusion API Manager updates.
Remove the following jars:
and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
Sign in to your account