Log4j vulnerability on ColdFusion

Last updated on Dec 24, 2021

Note:

UPDATE (12/17/2021): We've ereleased a patch for the following ColdFusion versions. See the technotes for more details:

Overview

There is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.

Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.

ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021.

In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.

ColdFusion (2021 release)

ColdFusion 2021 ships with Log4j versions 2.13.3 and 1.2. The former is impacted by this vulnerability, while the latter is not.

Stop the server.
Navigate to the directory <cf_root>\<Instance_name>\bin.
Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.
If using any third-party libraries that use Log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If the Log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath like below, otherwise skip this step.
1. If the Operating System is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path: org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number you found in the folder.
2. If the Operating System is non-windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class". X is the version number you found in the folder.
Restart the instance.
Repeat the procedure for all other instances.

ColdFusion (2018 release)

ColdFusion 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted.

Stop the server.
Navigate to the directory <cf_root>\<Instance_name>\bin.
Open jvm.config file and add -Dlog4j2.formatMsgNoLookups=true argument in java.args section. Save the file.
Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed. The new file can be downloaded from here. If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip this step.

The temporary location must be outside ColdFusion's lib directory or classpath, in general. You can place it outside ColdFusion's root directory.
If you are using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath as mentioned below, otherwise skip this step:
1. If the Operating System is Windows, then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number that you found in the folder.
2. If the Operating Systems is non-Windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class". X is the version number that you found in the folder.
Restart the instance and delete log4j-core-2.9.0.jar from the temporary location.
Repeat the procedure for all other instances.

ColdFusion (2016 release)

ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted. If the installation has any third-party libraries that use Log4j2, follow the steps listed for third party libraries above for version 2018 or 2021.

Performance Monitoring Toolset 2021

Performance Monitoring Toolset 2021 ships with log4j 2.11.1 and log4j 2.3. Both versions are impacted.

Stop the Performance Monitoring Toolset and datastore services.
Navigate to the directory <PMT_Home>\datastore\config.
Open the file jvm.options, add -Dlog4j2.formatMsgNoLookups=true argument in #log4j2 section. Save the file.
Navigate to the directory <PMT_Home>\lib.
Move the file log4j-core-2.3.jar to a temporary location.
Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
Restart the Performance Monitoring Toolset and datastore services.

Delete log4j-core-2.3.jar from the temporary location.

Performance Monitoring Toolset 2018

Performance Monitoring Toolset 2018 ships with log4j 2.9.1 and log4j 2.3. Both versions are impacted.

Stop the Performance Monitoring Toolset and datastore services.
Navigate to the directory <PMT_Home>\datastore\lib.
Move the file log4j-core-2.9.1.jar to a temporary location.
Copy the patched log4j-core-2.9.1.jar file with JNDILookUp class removed. The file can be downloaded from here.
Navigate to the directory <PMT_Home>\lib.
Copy the file log4j-core-2.3.jar to a temporary location.
Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
Restart the Performance Monitoring Toolset and datastore services.

Delete log4j-core-2.3.jar and log4j-core-2.9.1.jar from the temporary location.

API Manager 2021, 2018, and 2016

API Manager 2021, 2018, and 2016 ship with log4j 2.3. This version is impacted.

Stop the API Manager server (<APIM_Home>\bin) and Analytics (<APIM_Home>database\analytics\bin) service.
Navigate to the directory <APIM_Home>\lib.
Move the file log4j-core-2.3.jar to a temporary location.
Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
Restart the Analytics service and the API Manager server.

You can now delete log4j-core-2.3.jar from the temporary location.

Adobe

Get help faster and easier

New user?