I’ve just been asked if this is an issue for ColdFusion/Lucee. Anyone have knowledge or an opinion? /cc @foundeo @carehart https://www.cyborgsecurity.com/threats/emerging-threats/text4shell-vulnerability/

Lucee doesn't use that library, only the update provider knows about ti https://github.com/search?q=org%3Alucee+commons-text&type=code

Check the lib and bundles folders to see if that library/jar is in use

Does anyone know the library (jar) name it would be commonly implemented using? I've been looking online as the other answers are coming in

If you need an "official" answer, e-mail PSIRT@adobe.com

Thank you all for your prompt responses as well as throwback to the 70's (?).

Brad, I found that page, but I did not see there the jar name under which it's commonly deployed

The jar files on their download page look like

commons-text-1.10.0.jar

ok, thanks. had not seen that

The manifest shows

Bundle-SymbolicName: org.apache.commons.commons-text

i can confirm that CF 2021 and 2018 by default have no jar with a name of the pattern *commons***text*.jar

That's good. There's a tiny chance the class files could have been packaged inside of another jar, but it's slim

Thank you all again for jumping on this so quickly (I love this community). I’ve emailed PSIRT@adobe.com for an official comment as suggested. I’ll report back with the response. Now, shamed faced, do we have an opinion about the risks for ColdFusion 8 (8,0,0,176276) and Lucee 5.2.9.31 or have I lost any sympathy from the community? The only mitigating comment I can make is “we’re working on it!” or can I use this vulnerability to get the focus of the powers that be?

Brad, I can at least report that there's also no class with that name pattern in any of the jars anywhere in the CF2021 or 2018 folders (by default). But of course, not only can devs add such things on their own (or via some code they implement from others), but of course there's no requirement that the class name or jar name match that pattern. Richard, in the initial resource you shared, it offered a URL to test for the vuln. Had you tried it? And now that you are reporting being on CF8, well, I have been specific on the versions I'd checked. You could now do the same, or let me know if you'd need me to do it. (On Windows, I prefer File Locator Pro, which has an option to search within even zip/jar files.)

CVE list for CF8: https://www.cvedetails.com/vulnerability-list.php?vendor_id=53&product_id=8739&version[…]order=1&trc=33&sha=587869942c2e060b7e77cbe83503f91f5b5d7ccc

As for your seeking an opinion on CF8, that's indeed a very scary place to be, if that server is at all open to the public. Even if you apply lockdown steps (there was a lockdown guide for 8) there are still vulns in it that were never fixed once it went out of support (likely about 2013). The bottom line is indeed "get off unsupported CF versions". The latest currently supported by Adobe are 2018 (to July 2023) and 2021 (to Nov 2025). With that, I have to hop off for a client call, so won't reply for a while.

being on Lucee 5.2.9.31 is going to be always risky, because if there's a new CVE, only the recent Lucee release(s) will be updated, there are already going to be numerous libraries in that release which haven been upgraded since which have existing CVEs

I would at least install CF8.0.1 update https://helpx.adobe.com/coldfusion/kb/security-hotfix-coldfusion-8-8.html

i think 8 is soooo old, you can't even run it on a safe java version?

Glancing through the CVE list I linked earlier and it looks like even 8.0.1 still has most of the major issues

Thank you for that scary list @Scott Bennett I thought Halloween had past! 😱 Of course both @zackster and @carehart are right and moving off of these versions is in our backlog but always gets bounced by some other “more important” feature/fix. Maybe this will be the catalyst for change! As for Java, don’t go there either, ACF is on 1.6.0_01 and Lucee is on 1.8.0_131 but please don’t tell anyone! The response from ColdFusion support, as confirmed by comments above…

Apache commons-text jar is not used in CF2021 and CF2018. Hence, we are not impacted by this vulnerability.

If you are using this third-party jar, then it is recommended to upgrade to Apache Commons Text 1.10.0.

sounds like you need to convince the people that are deciding what is "important" that upgrading so the system is not vulnerable to attacks that could cause sensitive data exposure, or a full system outage is "important"

I might add, I believe that the "upgrade sale" from Fusionreactor for upgrades from previous versions is still on...

Lucee also has a standing upgrade sale for $0 ;)

Don't make me fly over there Zack. 😡 . . . 😂 cuz I might buy you a beer

One thing you can always raise is that any commercial insurance often may have clauses which say if you are using old / unsupported software, you aren't covered

I’m relatively new with this client but have also moved up the pecking order so maybe it’s time I asserted myself. Certainly sharing that list with them might scare bejesus out of them, as it did me! Are you sure that FR offer extends that far back mark? As always with security…

personally i'd just go and update my dev env and see what doesn't work, many people have trodden this upgrade path before and speaking for Lucee, we have addressed a lot of pain points for upgrades from cf8.

I know about forgiveness vs permission but this is a fairly big Corp, shameful I know but cfml is a very small part, so there is process.

so ask them to let you find out how long the piece of string is, it's going to have to happen at some point right?

Indeed, and I think this is going to be the stick to use to get this resolved. Oh, did I mention, we also run BlueDragon? 🙀

you should upgrade that to Railo

wait, you work on myspace?

https://www.carehart.org/blog/2022/10/31/special_offer_upgrade_to_cf2021_from_cf2016_or_earlier It says CF9. You might have to call Integral/FR to check...

message has been deleted

Okay, okay, folks, give a guy a break 😉 I’m going to get this resolved!

good luck

Luck shouldn’t enter into it but thank you 🙂

just imagine being able to write var statements anywhere inside a function, not just at the start

I remember clearly my upgrade from CF8 to CF9... I had heavily used the "cool new cfajax features" in an application and had to do a bunch of custom JS to manipulate things to get them to work the way I wanted. Then in CF9 all those javascript hacks broke.

Shhh scott, we don't talk about cfajax stuff around here anymore. Ixnay on the axjaycfay

That stuff was the shizz when Ben Forta came and demoed it to the Kansas City CF user group!

I did a presentation to the orange county cfug back in the day http://www.coldfusionguy.com/ColdFusion/blog/index.cfm/2008/7/18/PowerPoint-from-the-new-CoManager-of-the-Orange-County-CFUG

Isn't that what each person who came up with one of the thousand XML APIs in PHP said too?

It seemed like a great idea at the time

I think I still have that t-shirt 🤔

this started as a quick photoshop gag... but now I really want this T shirt

I’ll have an XL sent to the UK please!

Um, can I buy one? lol

<<frantically writing a new shopping cart app for his custom t-shirt idea>>

That's epic.

Pink doesn't go as well with my complexion... it brings out pale pink in my pasty white programmers skin

I also have a grey camo version.

I recently had a massive clear out of old T shirts for donation to "textile recycling" -- probably 100 T shirts? About half my collection. All my CF T shirts went out for donation. Including WWBD? (remember that?), the CF Rocks shirt mentioned above, and every CFUnited one plus CFUN from 2004(?),

<cfexecute> or <cfabort> -- there is no <cftry>

, ...