Stop the server.
UPDATE (12/17/2021): We've released a patch for the following ColdFusion versions. See the technotes for more details:
Overview
There is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.
In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.
Even though Adobe ColdFusion uses this library, we did not find any exploitable attack vector or mechanism with Adobe ColdFusion.
ColdFusion (2021 release)
ColdFusion 2021 ships with Log4j versions 2.13.3 and 1.2. The former is impacted by this vulnerability, while the latter is not.
-
If using any third-party libraries that use Log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If the Log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath like below, otherwise skip this step.
- If the Operating System is Windows , then unzip the log4j-core-2.x.jar file and remove the class from path: org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number you found in the folder.
- If the Operating System is non-windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class". X is the version number you found in the folder.
ColdFusion (2018 release)
ColdFusion 2018 ships with log4j 2.13.3 and/or 2.9.0, and log4j 1.2. The former is impacted by this vulnerability, while the latter (that is, v1.2) is not impacted.
-
Copy the patched log4j-core-2.9.0.jar file with JNDILookUp class that you have removed. The new file can be downloaded from here. If you find log4j-core-2.9.0.jar, move the file to a temporary location. If not found, skip this step.
The temporary location must be outside ColdFusion's lib directory or classpath, in general. You can place it outside ColdFusion's root directory.
-
If you are using any third-party libraries that use log4j2, and hence vulnerable, search for log4j-core in <cf_root> directory. If log4j2 version (<= 2.10 and >=2.0-beta9) is found, remove the JndiLookup class from the classpath as mentioned below, otherwise skip this step:
- If the Operating System is Windows, then unzip the log4j-core-2.x.jar file and remove the class from path : org/apache/logging/log4j/core/lookup/JndiLookup.class and zip the log4j-core-2.x.jar. X is the version number that you found in the folder.
- If the Operating Systems is non-Windows, then remove the JndiLookup class from the classpath : "zip -q -d log4j-core-2.x.jar org/apache/logging/log4j/core/lookup/JndiLookup.class". X is the version number that you found in the folder.
ColdFusion (2016 release)
ColdFusion (2016 release) ships with Log4j 1.2, which is not impacted. If the installation has any third-party libraries that use Log4j2, follow the steps listed for third party libraries above for version 2018 or 2021.
Performance Monitoring Toolset 2021
Performance Monitoring Toolset 2021 ships with log4j 2.11.1 and log4j 2.3. Both versions are impacted.
-
Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.
Performance Monitoring Toolset 2018
Performance Monitoring Toolset 2018 ships with log4j 2.9.1 and log4j 2.3. Both versions are impacted.
API Manager 2021, 2018, and 2016
API Manager 2021, 2018, and 2016 ship with log4j 2.3. This version is impacted.
-
Copy the patched log4j-core-2.3.jar file with JNDILookUp class removed. The file can be downloaded from here.