#Adobe coldfusion 11 hotfixes update#
Piyush, the offer of the download as a zip (rather than a jar) is in the technote for update 3 and 2 (but not 1), as well as the page listing all the cf 2021 updates.
“What really happened to Aaron Swartz?” – (search for faker.js if you don’t get the reference) They would look like heroes instead of being lumped in with the corporations that re-use open source and don’t contribute. It would solve their ColdFusion problem AND it would it would do the entire Java community a huge service. log4j-adobe-lite? No enhancements needed, just “support” it so if something comes up, people know someone will fix it. Or – there is a huge opportunity here for some talented people at Adobe to pickup log4j 1.x and repackage it without the parts most systems don’t use, and to “officially support” it. ( I’m sure there are lots of Java packages that are not officially supported, but this one is on the radar now that it has had those vulnerabilities logged.)Īdobe really needs to get log4j 1.x out of ColdFusion before it becomes an untenable issue inside enterprises or before people leave for compatible open source projects that don’t use log4j 1.x.
#Adobe coldfusion 11 hotfixes software#
Removing the vulnerable classes temporarily mollified some of our security team’s concerns but they are quick to point out that log4j 1.x is still an issue as it is “unsupported” software and vulnerabilities may not be assessed or log against the package. But until then I wanted to offer the above, if it may help you or others to understand just a bit more about this matter which has been coming up in recent days. Traditionally they don’t offer such details or timelines, but desperate times call for desperate measures. And only Adobe can answer that, if indeed they will announce anything (what and when) before the next update. It seems another cf update will be needed to address that, for cf2018 and cf2021. Something in cf is still relying on something in that 1.x jar. Those who have tried to remove the 1.x jars have found that did not work. That’s a separate point, and some would wonder if/when Adobe will be COMPLETELY removing rather than modifying them. Unfortunately, some scanners take a sledgehammer approach and look only at file NAMES rather than assessing whether the jar contains the vulnerable components.Īnd of course, some tools and stakeholders are taking a more exclusionist stance, regarding that no 1.x libraries should remain at all (because they could have OTHER issues that the log4j team will not address, since the version is no longer supported). As such, that addresses the then-known recent urgent vuln in that log4j 1.x jar. It was modified by Adobe to remove the vulnerable classes, such as JMSAppender, jndilookup, and others. Tom, note first that the file was indeed updated per this December CF update, as you noticed. Please update your ColdFusion versions and provide us your valuable feedback. The Docker images will be hosted shortly on Amazon ECR and Docker Hub. Note also that if you had previously applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.
They are not an alternative to applying the update.)
(Again, these steps are only for those who HAVE applied the updates discussed on this page. Update, Dec 21 2021: After applying the updates here, you can also address the known vulnerability in the Log4j 2.16 libraries, fixed with updated Log4j 2.17 jars as discussed and offered in this new Adobe technote. (These steps are only for those who HAVE applied the updates discussed on this page. Update, Jan 11 2022: After applying the updates here, you can also address the known vulnerability in the Log4j 2.17 libraries, fixed with updated Log4j 2.17.1 jars as discussed and offered in this new Adobe technote. These updates address vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046. After applying the update, all Log4j 2.x-related jars will be upgraded to version 2.16.0.
0 kommentar(er)
