Whatever message this page gives is out now! Go check it out!

Log4j 2.16 vulnerability on ColdFusion

Last update:
May 18, 2026
Note:
Apply the steps in this tech-note after installing the latest updates 2018 (Update 13) and 2021 (Update 3) that were released on 17 Dec 2021

Overview

There are a couple of vulnerabilities that have been reported in Log4j CVE-2021-44228 (LogShell) and CVE-2021-45046, which is a popular library. Adobe ColdFusion uses these libraries.
Adobe released updates for 2018 (Update 13) and 2021 (Update 3) to address these vulnerabilities on 17 Dec, 2021.
A new vulnerability CVE-2021-45105 was reported on 18th Dec 2021, which Apache addressed by releasing a newer version of Log4j (2.17.0). Even though Adobe ColdFusion uses this library, we did not find any exploitable attack vector or mechanism with Adobe ColdFusion.
As a best practice, we recommend that you upgrade the Log4j2 libraries to version 2.17.0.
Note: The zip packages all the updated jars for ColdFusion, Performance Monitoring Toolset, and API Manager.
UPDATE: To upgrade the Log4j 2.x jars to Log4j 2.17 jars, see this document.

ColdFusion (2021 release) and (2018 release)

  1. Apply the latest ColdFusion update.
  2. Stop the ColdFusion instance.
  3. Navigate to the directory <cf_root>\<cf_instance>\lib.
    Remove the following jars:
    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-to-slf4j-2.16.0.jar
    and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
    • log4j-core-2.17.0.jar,
    • log4j-api-2.17.0.jar
    • log4j-to-slf4j-2.17.0.jar
  4. Restart the ColdFusion instance.
  5. Repeat the procedure for all other ColdFusion instances.

Performance Monitoring Toolset 2021 and 2018

  1. Apply the latest Performance Monitoring Toolset updates:
  2. Stop the Performance Monitoring Toolset and datastore services.
  3. Navigate to the directory <PMT_Home>\lib.
  4. Remove the following jars:
    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
    • log4j-core-2.17.0.jar,
    • log4j-api-2.17.0.jar
  5. Navigate to the directory <PMT_Home>\datastore\lib.
  6. Remove the following jars:
    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-1.2-api-2.16.0.jar
    and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
    • log4j-core-2.17.0.jar
    • log4j-api-2.17.0.jar
    • log4j-1.2-api-2.17.0.jar
  7. Restart the Performance Monitoring Toolset and datastore services.

API Manager 2021, 2018, and 2016

  1. To apply the latest update, follow the instructions in ColdFusion API Manager updates.
  2. Stop the API Manager server.
  3. Navigate to the directory <APIM_Home>\lib.
  4. Remove the following jars:
    • log4j-core-2.16.0.jar
    • log4j-api-2.16.0.jar
    • log4j-slf4j-2.16.0.jar
    • log4j-jul-2.16.0.jar
    and replace them with the following jars bundled in this zip file, log4j2.17.0 (Checksum: 3e39223055936f59bf8c0ce3846a5b5a).
    • log4j-core-2.17.0.jar,
    • log4j-api-2.17.0.jar
    • log4j-slf4j-impl-2.17.0.jar
    • log4j-jul-2.17.0.jar
  5. Restart API Manager.

Share this page

Was this page helpful?
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Thank you for your feedback. Your response will help improve this page.

On this page