http://coldfusion.com logo
#adobe
Title
# adobe
r

rstewart

05/10/2022, 9:00 PM
@Mark Takata (Adobe) @priyank_adobe After applying CF2018 Update 14 to the first of our dev servers, I still have one older Log4j v1.x file in place (
./cfusion/jetty/lib/ext/log4j-1.2.17.jar
). Is this expected? (Even if expected, it is not going to make our cybersecurity team happy at all.)
1
… or @saghosh?
Box A: CF 2018 update 13:
Box B: CF 2018 update 14:
At least on the surface, it looks like the update did not remove the old versions of the files in that folder. I checked the update log and see the new files being added but no entries related to removal of the old. FWIW, a co-worker with a CF2021 dev system applied update 4 and does not see this on his. It appears to have cleaned up the old files and he sees the entries in the update log related to the cleanup.
b

bdw429s

05/11/2022, 11:02 PM
@rstewart I've noticed the same issue with 2018, except the jar was in the cfusion/lib folder (possibly due to being based on the WAR).
Not only did 2018 still have Log4j 1.x, but when I manually deleted those jars, CF refused to start, so it does seem to still be using them
Copy code
Error [main] - Unable to initialise Security service: java.lang.NoClassDefFoundError: org/apache/log4j/Logger
Information [main] - Unable to initialise CFStartupServlet:org/apache/log4j/Logger
[ERROR] coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available.
@Mark Takata (Adobe) Is this expected?
cc/ @priyank_adobe
m

Mark Takata (Adobe)

05/11/2022, 11:56 PM
Escalated this. I'm unsure of what is the deal here.
b

bdw429s

05/12/2022, 12:06 AM
Cool, thanks.
p

priyank_adobe

05/12/2022, 7:36 AM
@rstewart Is jetty installed along with CF or have you installed it in a different folder and pointing it to CF Admin?
I have verified it multiple machines and it is getting updated.
r

rstewart

05/12/2022, 12:40 PM
Jetty is installed alongside CF. I have not installed it anywhere else or moved it.
I am glad to provide copies of the logs from applying the update, if that helps, @priyank_adobe?
p

priyank_adobe

05/12/2022, 12:43 PM
Can you please send me the logs, DM me and I will share my email with you.
r

rstewart

05/12/2022, 12:59 PM
@bdw429s Interesting. Mine is also deployed via WAR against Tomcat. Here are all of the Log4j JAR files in the `cfusion/`directory structure on this box. That sounds like it is different than what you are seeing?
p

priyank_adobe

05/12/2022, 1:00 PM
Mine is not deployed in Tomcat, it is standalone installation. I will try this and get back to you.
👍🏻 1
b

bdw429s

05/12/2022, 1:02 PM
My jars were in cfusuon/lib directly
Using the war on commandbox/undertow
11 Views