@sandip_halder @Mark Takata (Adobe) Our cybersecurity scanning team is pitching a fit about the old version of Apache Log4j currently still included in ColdFusion 2018. Specifically, they are complaining about the version 1.2.15 present within

cfusion/lib/cf-logging.jar

. Thoughts on how best to respond?

@rstewart Ron, the version might be 1.2.15 but we have mitigated the risks associated with that file. So, even though the file version is same, but, it is not vulnerable anymore

@sandip_halder OK if I DM you RE this?

So let me get this straight. This isn't some wayward Log4J.jar sitting around in some add-on package CF uses (and perhaps not even the logging features thereof), this is in cf-logging.jar - CF's own logger, written specifically for the product - and you still have a jar file in there that's gonna set off everyone's security scanners regarding the most well known exploit in the last n years? And Adobe's position is "its fine. Trust us".

I have submitted 4-5 bug reports on the exact same scan issues. I scanned 2023 last week and it still has Log4J1

@Mark Takata (Adobe) come on man. What's going on here?

I posted my findings from the latest scans of the beta here: https://forums.adobeprerelease.com/fortunabeta/discussion/24/security-scan-results/p1?new=1

(I had just assumed the CF2018 / CF2021 were gonna turn out to be hasty patch jobs with the proper fix in CF2023. But... no... 😞

Not specifics, but the count is still staggering - over 190 CVE’s or GHSA’s ranked “Critical” or “High” packaged in.