Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
July 11, 2023
Question

LIVE! ColdFusion 2023, 2021, and 2018 July 2023 Security Updates

  • July 11, 2023
  • 7 replies
  • 2461 views

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In these updates, we’ve fixed a few security bugs mentioned in the security bulletin, APSB23-40.

We’ve also refreshed ColdFusion lockdown installers. You can find the refreshed installers on the ColdFusion downloads page.

For more information, see the tech notes below:

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

    This topic has been closed for replies.

    7 replies

    A
    AjasHadi
    Participating Frequently
    July 14, 2023

    As of July 14 Friday 4:08 pm ET, For folks who were following this discussion, another hotfix was just released by Adobe. I came to know as I finished patching a server and sure enough there was another hotfix waiting in the line. 🙂

     

    ColdFusion (2018 release) Update 18 https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-18.html

     

    The https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html link is broken as of right now. I am guessing they are actively working on it.

     

    Thanks,

     

    H
    hehg24
    Participant
    July 14, 2023

    Security Update 2 page has broken link for the security bulletin here:
    https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-2.html

    Can't see the details of the update.

      H
      hr.s19528027
      Participant
      July 13, 2023

      Only the jar file is still available. The hotfix file is still missing. An MD5 hash is given, so there should be a file.

        A
        AjasHadi
        Participating Frequently
        July 12, 2023

        As of July 12, 2023 1:34 pm ET, here are some questions for Adobe team

         

        1. what version of Java you recommend for CF 2018 from the below list that is available for download here https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#downloads3?

         

        Also, Adobe says there is 1 year extra EOL support for CF 2018 till July 2024. What does that look like? No patches at all or help as needed by customers?

         

        JAVA SE 11.0.19 (LTS)
        JAVA SE 11.0.18 (LTS)
        JAVA SE 11.0.17 (LTS)
        JAVA SE 11.0.16.1 (LTS)
        JAVA SE 11.0.16 (LTS)

         

        2. Is this hotfix applicable to people who used the lockdown installer ONLY or others as well? If someone didnt use the lockdown installer, can you please explain what this hotfix is doing or affecting?

         

        3. Like Charlie mentioned, these announcements can be better worded. I can help Adobe team and I am sure Charlie/Others can if He is provided some input before these are posted out which is causing more confusion than helping anyone.

         

        Thanks,

         

          A
          AjasHadi
          Participating Frequently
          July 14, 2023

          @Saurav_Ghosh ,  RaviShankar or anyone from Adobe, can you please clarify on some of these questions ?

          spcooney
          spcooney
          Inspiring
          July 12, 2023

          You've also not explained why this update does not include the "Hotfix and packages repository:" link that has been provided for all of the previous 6 ColdFusion 2021 Hotfixes.  At the minimum simply state that it is not necessary instead of leaving it out there to be assumed. Thanks.

          J
          Jason_Stiers
          Participant
          July 11, 2023

          In the security bulletin about this, it also says:

           

          Note: Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details.

           

          But I can't find any refernce to what JRE version we should be upgrading to, and which are supported.

           

          Is there anydocumentation I can refer to regarding which JREs are support?

          RaviShankar Chagnur
          Adobe Employee
          RaviShankar Chagnur
          Adobe Employee
          July 11, 2023

          Hello Jason,

           

          For Coldfusion 2021/2018 you need to download JRE 11 , for Coldfusion 2023 you need to download jre 17

          You can download JRE's from below link

          https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#downloads3

           

          Thanks & Regards

          Ravi

            Charlie Arehart
            Community Expert
            Charlie ArehartCommunity Expert
            Community Expert
            July 11, 2023

            Or folks can just use the JVM that CF is set to run with, of course. It's unfortunate that that security bulletin has that sloppy language. Several people in the community and clients of mine are raising concern about it.

             

            FWIW, I have addressed it as the last point in my blog post on the update, posted earlier today, which may have other info of interest to readers of this post:

            https://www.carehart.org/blog/2023/7/11/coldfusion_p1_security_update_july_2023

             

            And Ravi, there some other matters I discuss there which could be easily rectified if someone could give them even just a little attention. As always, just trying to help.

            /Charlie (troubleshooter, carehart. org)
              spcooney
              spcooney
              Inspiring
              July 11, 2023

              As of 1:54PM ET 11th July 2023 there is no download link for CF 2021 HF7 "Hotfix and packages repository:".  Currently there is just the .jar file. 

              Terms & ConditionsAccessibility statement
              Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices