We have run the CF update 13 on our 2018 install early last month.
After the update we have 4 related files that have the same timestamp;
log4j-1.2.15.jar
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-to-slf4j-2.16.0.jar
The network team has flagged 'log4j-1.2.15.jar' file in a security scan.
When I try to delete the file, it says coldfusion.exe is using the file ??
I am able to delete the file (with CF services stopped), but without it the server throws a 500 error.
The strange thing is if I rename it it works.
If I move the renamed file to another folder, the server again throws a 500 error.
I get a stack trace along with the 500 error.
It is a NULL pointer in the Java class loader. Basically, a missing JAR file (a library of classes) which is true since the file is missing.
I do know the CF update did update the file because the timestamp matches the ‘CORE’ and ‘API’ log4j files that were replaced.
Reading an Adobe post regarding a manual update and workaround, states that the version 1.2 is not an issue with the log4j vulnerability.
My questions are;
1) Is this file safe ?
2) Should it have been updated to a later version ?
'log4j-2.16.0.jar' instead of 'log4j-1.2.15.jar' ??
Thanks,
Kevin