We are pleased to announce that we have released the updates for the following ColdFusion versions:
- ColdFusion (2021 release) Update 3
- ColdFusion (2018 release) Update 13
- ColdFusion 2021 Performance Monitoring Toolset Update 3
- ColdFusion 2018 Performance Monitoring Toolset Update 4
- ColdFusion API Manager updates
These updates address vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046. After applying the update, all Log4j 2.x-related jars will be upgraded to version 2.16.0.
Update, Jan 11 2022: After applying the updates here, you can also address the known vulnerability in the Log4j 2.17 libraries, fixed with updated Log4j 2.17.1 jars as discussed and offered in this new Adobe technote. (These steps are only for those who HAVE applied the updates discussed on this page. They are not an alternative to applying the update.)
Update, Dec 21 2021: After applying the updates here, you can also address the known vulnerability in the Log4j 2.16 libraries, fixed with updated Log4j 2.17 jars as discussed and offered in this new Adobe technote. (Again, these steps are only for those who HAVE applied the updates discussed on this page. They are not an alternative to applying the update.)
Note also that if you had previously applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.
Download these updates from:
The Docker images will be hosted shortly on Amazon ECR and Docker Hub.
Please update your ColdFusion versions and provide us your valuable feedback.
For folks following this post, note that as of Jan 11 (2022) Adobe has come out with a technote offering log4j 2.17.1 jars, addressing a vulnerability in the 2.16 jars that the log4j team had found (and for which Adobe had offered updated jars on Dec 21).
To be clear, these 2.17.1 jars are meant to be added to a CF2021 or 2018 implementation where the update for those (released on Dec 17) had been applied.
Here’s the technote with the info on updating to the 2.17.1 jars:
https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html
Tom, note first that the file was indeed updated per this December CF update, as you noticed. It was modified by Adobe to remove the vulnerable classes, such as JMSAppender, jndilookup, and others. As such, that addresses the then-known recent urgent vuln in that log4j 1.x jar.
Unfortunately, some scanners take a sledgehammer approach and look only at file NAMES rather than assessing whether the jar contains the vulnerable components.
And of course, some tools and stakeholders are taking a more exclusionist stance, regarding that no 1.x libraries should remain at all (because they could have OTHER issues that the log4j team will not address, since the version is no longer supported). That’s a separate point, and some would wonder if/when Adobe will be COMPLETELY removing rather than modifying them.
Those who have tried to remove the 1.x jars have found that did not work. Something in cf is still relying on something in that 1.x jar.
It seems another cf update will be needed to address that, for cf2018 and cf2021. And only Adobe can answer that, if indeed they will announce anything (what and when) before the next update. Traditionally they don’t offer such details or timelines, but desperate times call for desperate measures.
Let’s hope they reply on this. But until then I wanted to offer the above, if it may help you or others to understand just a bit more about this matter which has been coming up in recent days.
Removing the vulnerable classes temporarily mollified some of our security team’s concerns but they are quick to point out that log4j 1.x is still an issue as it is “unsupported” software and vulnerabilities may not be assessed or log against the package. ( I’m sure there are lots of Java packages that are not officially supported, but this one is on the radar now that it has had those vulnerabilities logged.)
Adobe really needs to get log4j 1.x out of ColdFusion before it becomes an untenable issue inside enterprises or before people leave for compatible open source projects that don’t use log4j 1.x.
Or – there is a huge opportunity here for some talented people at Adobe to pickup log4j 1.x and repackage it without the parts most systems don’t use, and to “officially support” it. log4j-adobe-lite? No enhancements needed, just “support” it so if something comes up, people know someone will fix it. It would solve their ColdFusion problem AND it would it would do the entire Java community a huge service. They would look like heroes instead of being lumped in with the corporations that re-use open source and don’t contribute.
“What really happened to Aaron Swartz?” – (search for faker.js if you don’t get the reference)
Piyush, the offer of the download as a zip (rather than a jar) is in the technote for update 3 and 2 (but not 1), as well as the page listing all the cf 2021 updates. It is indeed a confusing situation.
The issue started with u2, when you can see the technote switched from showing the simple java -jar approach (for manual updating), to instead offering the zip and discussing unzipping it, and updating a json file…all with the seeming goal to then allow running the update via the admin, thiugh that’s never stated. Also, the java – jar command is not shown at all (like it was in the u1 technote and all for cf2018 and below).
Then another confusion is that says to run the cfpm if the update is “successful”. I think that should have been “UNuccessful”. But again that’s not clear if it’s referring to having run the admin approach, the java -jar approach, or both.
Now I think I see where some people are having odd problems, if they follow these steps. They may do BOTH the admin then (“if successful”) ALSO the cfpm, which is NOT appropriate.
None of this is in the 2018 technotes, of course.
I hope these can be corrected asap.
Charlie,
the zip is over 400 Mb. and bundles the hf3 jar
(hotfix-packages-cf2021-003-329779.zip\bundles\updateinstallers\hotfix-003-329779.jar). Moving forward, this would be the form and format for the manual steps in the technote for CF2021.
I can see the java -jar command in the instructions following the download link in the same section.
updater.jar updates the core.. following that step with the one for cfpm must be to update the packages.. in case they have update related changes too.
And that technote has just been posted:
https://helpx.adobe.com/coldfusion/kb/log4j-2-16-vulnerability-coldfusion.html
indicating that it’s ok to copy in the log4j 2.17 jars, and they even offer just what you need.
But note that it indicates that this is if you have applied the updates from Fri, Dec 17. To be clear, this is NOT the way to mitigate the earlier log4j vuln INSTEAD of doing the updates.
Ok, Apache is moving again. There is an update to 2.17.1. I wonder if these manual steps will work with the new jars they just released….https://logging.apache.org/log4j/2.x/security.html
Tom, the 2.17.1 jars were finally provided and discussed in a new technote released today:
https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html
Do the web connectors have to be updated after CF2021 update 3?
I had some trouble running the upgrade function in wsconfig as an administrator (windows 2019 server),
it was unable to write out a log file in the wsconfig/1 folder and didn’t update the isapi_redirect.dll file
do the CF services need to be turned off to upgrade the connectors?
trying to think of a reason why that would fail.
No, unless you have not applied a previous update that needed the connector to be reconfigured.
The CF service need not be turned off to upgrade the connector. The upgrade essentially replaces the isapi dll ( or .so file depending on your OS). The web-server needs to be recycled though, so that it can reload the new dll.
Piyush, this is another point of confusion in the u3 technote. It does indeed say that the connector must be upgraded.
That’s not true if one had been on u2 and had already upgraded the connector then, right?
Also, in previous releases, the update technotes had a table at the bottom to help with this very issue, indicating which updates did call for a connector update. That should be returned in 2021’s update technotes. (That table is also missing from the cf 2018 u13 technote, though is in u1 and earlier.)
so just to be clear, update 3 does not require the connectors to be upgraded – correct?
The instructions in the tech note seem to say that they are required to be upgraded.
Quoting from the tech note “After applying the update, you must upgrade the existing web server connectors.”
I’d already said that (regarding your quote), and asked Adobe for clarification–in support of your first comment. But I can confirm now that, no, there is no change to the connector in u3…unless you had failed to upgrade it, if needed, in update 3.
To be specific, I found the connector dll for u3 and u2 to be binary identical.
You must be logged in to post a comment.