Log4j 1.2.15 vulnerabilities in ColdFusion

Last update:

May 18, 2026

Adobe ColdFusion uses Log4j for internal logging functionality. One instance which we use is log4j-1.2.15. Since the current state of log4j-1.x is EOL, and due to the number of vulnerabilities recently exposed in log4j due to Log4Shell, we went through all the vulnerabilities reported in log4j-1.x and 2.x to assess the exposure.

We are pleased to report that Adobe ColdFusion was not exposed to any of these vulnerabilities in log4j-1.x.

Although most of the vulnerabilities reported did not impact log4j-1.x, due to the growing concerns over Log4j vulnerabilities, we have mitigated the applicable vulnerabilities in log4j-1.2.15, which ColdFusion uses, as part of the recent security updates, listed below:

ColdFusion (2021 release) Update 3 released on 12/17/2021
ColdFusion (2018 release) Update 13 released on 12/17/2021

The table lists vulnerabilities and the severity of each that we had analyzed.

Vulnerability	Severity
CVE-2017-5645	High
CVE-2019-17571	High
CVE-2021-44228	Critical
CVE-2021-4104	Moderate
CVE-2021-45105	Moderate
CVE-2021-44832	Moderate
CVE-2020-9488	Low

Note:

We have already covered the exposure for log4j-2.x instances which has been issued in the security bulletin.

Was this page helpful?

We're glad. Tell us how this page helped.

Found the answer to my problem Understood the instructions Liked the feature

Other suggestions

We're sorry. Can you tell us what didn't work for you?

Didn't find the answer to my problem Couldn't understand the instructions Didn't like the feature

Other suggestions

Thank you for your feedback. Your response will help improve this page.

Was this helpful?

We are sorry the content didn't meet your needs.

Share additional feedback to help us improve.

0/255 | Character limit exceeded.

Thank you so much for sharing your feedback!

Log4j 1.2.15 vulnerabilities in ColdFusion

On this page