http://coldfusion.com logo
#cfml-general
Title
# cfml-general
k

Kevin D. Wright

02/04/2022, 7:00 PM
We have run the CF update 13 on our 2018 install early last month. After the update we have 4 related files that have the same timestamp; log4j-1.2.15.jar log4j-api-2.16.0.jar log4j-core-2.16.0.jar log4j-to-slf4j-2.16.0.jar The network team has flagged 'log4j-1.2.15.jar' file in a security scan. When I try to delete the file, it says coldfusion.exe is using the file ?? I am able to delete the file (with CF services stopped), but without it the server throws a 500 error. The strange thing is if I rename it it works. If I move the renamed file to another folder, the server again throws a 500 error. I get a stack trace along with the 500 error. It is a NULL pointer in the Java class loader. Basically, a missing JAR file (a library of classes) which is true since the file is missing. I do know the CF update did update the file because the timestamp matches the ‘CORE’ and ‘API’ log4j files that were replaced. Reading an Adobe post regarding a manual update and workaround, states that the version 1.2 is not an issue with the log4j vulnerability. My questions are; 1) Is this file safe ? 2) Should it have been updated to a later version ? 'log4j-2.16.0.jar' instead of 'log4j-1.2.15.jar' ?? Thanks, Kevin
b

bdw429s

02/04/2022, 7:23 PM
@Kevin D. Wright The file is "safe" in that Adobe's update removed the classes inside of it that were vulnerable. Now, your sysadmins may not buy that answer, but that's up to them
You can't simply remove the file or you'll crash CF as you've found
but you CAN • stop CF • rename it to remove the version number • start CF and that may trick your server scanner tools from seeing it
Java doesn't care what jars are named so long as they're in the right folder.
your scanner software is likely looking for specific filename patterns on disk
And to answer your second question- no you can't simply update a Log4j 1.x jar to a 2.x version. It's not binary compatible and will. cause errors
Adobe has also said here in Slack that the next updaters should have Log4j 1.x completely removed
👍 1
k

Kevin D. Wright

02/04/2022, 7:59 PM
Thanks Brad!!
Missed into-the-box in person this past year. Maybe this year! Thanks again!
👍 1
4 Views