We have run the CF update 13 on our 2018 install early last month. After the update we have 4 related files that have the same timestamp; log4j-1.2.15.jar log4j-api-2.16.0.jar log4j-core-2.16.0.jar log4j-to-slf4j-2.16.0.jar The network team has flagged 'log4j-1.2.15.jar' file in a security scan. When I try to delete the file, it says coldfusion.exe is using the file ?? I am able to delete the file (with CF services stopped), but without it the server throws a 500 error. The strange thing is if I rename it it works. If I move the renamed file to another folder, the server again throws a 500 error. I get a stack trace along with the 500 error. It is a NULL pointer in the Java class loader. Basically, a missing JAR file (a library of classes) which is true since the file is missing. I do know the CF update did update the file because the timestamp matches the ‘CORE’ and ‘API’ log4j files that were replaced. Reading an Adobe post regarding a manual update and workaround, states that the version 1.2 is not an issue with the log4j vulnerability. My questions are; 1) Is this file safe ? 2) Should it have been updated to a later version ? 'log4j-2.16.0.jar' instead of 'log4j-1.2.15.jar' ?? Thanks, Kevin

@Kevin D. Wright The file is "safe" in that Adobe's update removed the classes inside of it that were vulnerable. Now, your sysadmins may not buy that answer, but that's up to them

Thanks Brad!!