My client is running CF 2021 and as part of the install an older version of log4j is installed at: C:\ColdFusion2021\cfusion\jetty\lib\ext\log4j-1.2.17.jar Their IT dept. is kicking up since it is an obsolete version. Can it be upgraded?

@Graham No, it can't be upgraded. Adobe has "mitigated" the jar by removing some of the class files from it.

Cool thanks Brad. I will try your suggestion of the rename. Just wondering what this is actually used for? What should I test to see that my rename has not caused any issues?

I know it's used for Jetty and possibly a few other bundled libs that require it. There's a lot of java libs that just never updated their log4j use because the old one "worked"

Thank you Brad 🙂

Reached out via DM to Graham to see if we can get him sorted. By the way, depending on the scanner, this rename trick has been shown to fail scans (I've now seen it fail 3 times, 2 government, 1 commercial). So it all depends what the IT Dept is using. Adobe is actively working on a generally available remediation solution which solves the issue for all cases, but it isn't quite ready. When we release it it will be via blog & documentation, & I will be sharing that here, on FB, on the forums and LinkedIN. In the meantime we are dealing case by case.

Thanks @Mark Takata (Adobe) I will pass on your responses to the client IT staff.

My pleasure, hope we can get you all sorted.

@Mark Takata (Adobe) why aren't y'all fixing it properly?

it's really not a trivial task, took us a long time to fix for lucee too

Thank you Zack. Yes, this has been a beast, and the scope was really huge.

Yeah but @zackster y'all did fix it. And adopted a palpable sense of urgency about it. Adobe's position seems to be "here's a bandaid I guess. [shrug]"

being OSGI made it easier with lucee (and yet still pull your hair out f-ing complex) to address all the third party libs

Adam, with all due respect, you have absolutely no idea.