ColdFusion (2021 release) Performance Monitoring Toolset Update 3 (release date, 17 December, 2021) addresses vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046.
After applying the update, all log 4j 2.x-related jars will be upgraded to version 2.16.0.
If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.
Prerequisites
Note: On 64-bit computers, use 64-bit JRE for 64-bit Performance Monitoring Toolset.
If the Performance Monitoring Toolset server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config, or provide the proxy settings in Performance Monitoring Toolset dashboard (Settings > Updates > Settings)
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
Installation
Note: On Windows, you must stop the Datastore service before installing the update and follow the manual steps in the next section to apply the update.
For non-Wondows, the update can be installed through the PMT dashboard or command-line.
If you get the following error when installing the update using the Download or Download and Install option, ensure that the folder {pmt_install_home}/hf-updates has write permission: "Error occurred while installing PMT update. Please try again."
The backup is located at {pmt_install_home}/hf-updates/hf-2021-00003-329792/backup.
Installing the update manually
- Click the link to download the JAR. The MD5 checksum is: a76ee4fb7d5cbb16baa9037b84a6eb5b
- Execute the following command on the downloaded JAR. You must have privileges to start or stop Performance Monitoring Toolset and Datastore services.
Windows: <pmt_install_home>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-003-329792.jar
Linux-based platforms: <pmt_install_home>/jre/bin/java -jar <jar-file-dir>/hotfix-003-329792.jar
Ensure that the JRE bundled with Performance Monitoring Toolset is used for executing the downloaded JAR.
Install the update from a user account that has permissions to restart Performance Monitoring Toolset and Datastore services.
Datastore installed as add-on
Move the following jars from {pmt-addons-home}/datastore/lib to any backup location outside the PMT home.
- log4j-1.2-api-2.11.1.jar
- log4j-api-2.11.1.jar
- log4j-core-2.11.1.jar
Then download the jars from the location of the jars, checksum: a0047aa8c1eab7e1936ea2d36d1236f3, and copy the jars in {pmt-addons-home}/datastore/lib.
- log4j-1.2-api-2.16.0.jar
- log4j-api-2.16.0.jar
- log4j-core-2.16.0.jar
Restart the Datastore.
Post installation
Note: Windows only.
After installation, update the jvm.config file with the following change. Rename:
Dlog4j.configurationFile="file://C:\pmt_home\config\log4j2.xml" to -Dlog4j.configurationFile=file:///C:\pmt_home\config\log4j2.xml
After applying this update, the ColdFusion Performance Monitoring Toolset build number should be 2021,0,03,329792.
Uninstallation
Before uninstalling on Windows, stop the Datastore service.
To uninstall the update, perform one of the following:
- In Performance Monitoring Toolset Dashboard, click Uninstall in Settings > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {pmt_install_home}/hf-updates/hf-2021-00003-329792/uninstall/uninstaller.jar