Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
June 11, 2024
Question

NOW LIVE! Adobe ColdFusion 2023 and 2021 June 2024 security updates

  • June 11, 2024
  • 11 replies
  • 9833 views

Update (6/12):

  • Minor edits in the default algorithm section.
  • Added links to Docker images.

Update (6/13):

  • CFFiddle is updated with the updates.
  • Removed extra space in -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE

Update (6/21):

  • Changed the checksum of the CF 2023 packages. Thank you @Legorol 

We are pleased to announce that we have released security updates to ColdFusion (2023 release) Update 8 and ColdFusion (2021 release) Update 14.

 

This update includes several security fixes to ensure the safety and security of our systems. These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.

 

For more information, view the security bulletin,  APSB24-41.

 

Where do I download the updates from

Download the updates from the following locations:

 

What do these updates contain

Change in default algorithm

  • The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions. 
  • Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to revert the change. By default, the value is False,
  • The flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.

CFdocument access control issues

We've introduced a new JVM flag: -Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.

However, in the next major release of ColdFusion, we WILL remove the flag.

 

Package updates

The following packages have been updated:

  • document
  • htmltopdf
  • presentation
  • pdf
  • print
  • report

 

Solr upgrade

If you manually upgraded Solr to version 8.11.2 using the instructions in Upgrade SOLR to mitigate security risks in ColdFusion, then after installing Update 8, SOLR will not downgrade to version 7.9.

 

For more information, view the following tech notes:

 

Are the Docker images available

The images are available on the Docker hub and ECR.

 

Please update your ColdFusion versions and provide us with your valuable feedback.

This topic has been closed for replies.

11 replies

S
Simon.edu
Known Participant
July 29, 2024

Greetings,

 

After applying update 8 to  CF2023,  connection to one of my Oracle datasources returns following error: 

Error Executing Database Query. [DataDirect][Oracle JDBC Driver]arraycopy: destination index -1 out of bounds for byte[128].

Looks like issue is connected to changing default encryption value.  Adding  -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to JVM arguments fixed that issue.  

 

Interesting that I have a few oracle datasources (different servers) and the error happened only on one of those.

I hope that helps to those that expirience the same issue.

 

Regards,

Simon 

UC Berkeley

 

 

S
Simon.edu
Known Participant
July 29, 2024

Greetings,

 
It turned out that the error was intermittent and adding a JVM argument didn't resolve that issue.  I was too fast to report success.
For now the only info is that we didn't have that issue before update 8 to CF2023.  We have a CF2023 environment without an update 8 and no issue.
 
I wonder if anybody experiences a similar issue with CF2023 update 8 or have any suggestions.
 
Regards,
Simon
UC Berkeley
Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
July 29, 2024

Simon, I'm not aware of anyone else having that issue (though they may, of course). But I'll offer some thoughts/questions:

  • Is it really that the failure is only when you USE the DSN? Or also when you might try to VERIFY it within the cf admin? That could be a helpful diagnostic point.
  • If you know the cf dsn password and enter it, does it work then?  I realize you won't want to do that as a workaround if you have many--or if you don't KNOW the passwords. But if they are few and you DO, it could at least get you back to operational. Let us know if you try.

If you can't or won't do that, or want to press on for the sake of others, tell us also :

  1. what Java version cf reports using in the cf admin (settings summary page. Please don't trust your recollection, expectation, nor report alone what's indicated in the cf admin jvm pages Java home value)
  2. And what oracle version is in use for the failing dsns?
  3. And if any "work", what is their version?
  4. Finally, if some dsn works and the doesn't work, that would be important to hear and for us to try to understand. 

 

Or maybe someone else will have a different suggestion for you. 

/Charlie (troubleshooter, carehart. org)
Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
July 17, 2024

Saurav, sadly the technote for cf2023 update 8 as well as that for cf2021 update 14 still has the mistake of the space before "=" (which your post here did originally) of the space in the jvm arg, which causes cf to fail:

-Dcoldfusion.encryption.useCFMX_COMPATAsDefault =TRUE

Can you please get that corrected? 

/Charlie (troubleshooter, carehart. org)
Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
July 29, 2024

Saurav, this problem remains. 

/Charlie (troubleshooter, carehart. org)
H
Hiding on the Backstreets
Inspiring
July 7, 2024

I updated to ColdFusion (2021 release) Update 14 from Update 13 and now most, but not all, of my Scheduled Tasks are missing. Plus, when I check the Scheduler log to see what has actually run, besides confirming that most of my tasks haven't run, I see that the daily default task to check for new CF updates hasn't run.

 

When I check the update log to see what files were modified, it doesn't report modifying neo-cron.xml. However, the neo-cron.xml file, and the backup, are showing a modified datestamp the same as the date I did the update.

 

This is the Standard Edition running on Windows Server 2019.

Charlie Arehart
Community Expert
Charlie ArehartCommunity Expert
Community Expert
July 7, 2024

While I've not seen or heard of that problem in any of the many (dozens) of updates from cf2021 u13 to 14 I've been a party to, I'll offer this.

 

First, the date modified of that neo-cron.xml (and the creation of a .bak file for it) does happen far more often that most would expect. So I'm not sure I'd put much stock in that having been modified at the time of the update. (And sadly only one bak is created. Both of those are issues for which I've created bug reports/feature requests in the past.)

 

Second, if the update did truly change the file, it should be reflected in a copy of it being kept in the backups/lib folder under the folder created for your update 14 in the cfusion/hf-updates folder. Do you see one? If so, you could copy that back in place in the cfusion/lib folder (I'd make a copy of the current one first, not relying on the .bak, which is overwritten on any change that Cf causes.)

 

If you have no such file in the update's backups folder, then you'll need to recover a good working file from any other backups you take on the server. 

 

Let's hear what you or others may say on this. 

/Charlie (troubleshooter, carehart. org)
H
Hiding on the Backstreets
Inspiring
July 7, 2024

Thank you for such a quick reply. There was no neo-cron.xml in the update backup folder. I was only missing about 15 tasks, so for me the easiest thing to do in this case was just recreate them. However, I am concerned that it's no longer checking for CF updates. I'd love to be able to recreate or restore that task.

L
Legorol
Participating Frequently
June 19, 2024

The US version of the ColdFusion 2023 updates page (https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-updates.html) shows an incorrect MD5 checksum for the hotfix file on this line:

  File: ColdFusion (2023 release) Update 8 (MD5: b83e37a682f02ad9ba8e4cfddb32b13)

Note how the MD5 has 31 characters instead of 32.

 

However, the UK version of the same page (https://helpx.adobe.com/uk/coldfusion/kb/coldfusion-2023-updates.html) shows the correct checksum:

  File: ColdFusion (2023 release) Update 8 (MD5: eb83e37a682f02ad9ba8e4cfddb32b13)

Note the "e" at the beginning of the checksum.

 

Could you please correct the US page?

 

L
Legorol
Participating Frequently
June 19, 2024

The editor included the closing bracket in the US link. The correct US link is:

https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-updates.html

L
Legorol
Participating Frequently
June 19, 2024

Actually things are even worse. The two pages have different MD5 checksums for the package repository.

US: Hotfix and packages repository: Link (MD5: 0a643cc62929976f6cc880ed2c3ccbf5)
UK: Hotfix and packages repository: Link (MD5: 0fd13166f31a19d3fda5f4302855794c)

and both links are the same:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2023/packages/hotfix-packages-cf2023-008-330668.zip

 

Can you please fix the MD5 checksums on these pages, and can you please take more care about these matters in general? This is not the first time that the posted MD5s are wrong. As these MD5s are meant to be the way to verify the integrity of the downloads, it is quite disconcerting that the wrong values are getting posted.

D
default8vn6shtsmayn
Participating Frequently
June 19, 2024

Running on Windows 2019 with CF2021 Update 13, running Java 11.0.22.
Install from fadmin reports failure. 
Manual install
<jdk>\bin\java.exe -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar E:\ColdFusion\bundles\updateinstallers\hotfix-014-330296.jar
install fails with:
Error: Could not find or load main class .util.zip.disableZip64ExtraFieldValidation=true
Caused by: java.lang.ClassNotFoundException: /util/zip/disableZip64ExtraFieldValidation=true

H
Adobe Employee
hannah18
Adobe Employee
June 19, 2024

@default8vn6shtsmayn Does your setup have lockdown installed? Also, Can you please check and send the update installation logs for any errors? 

Location : <cfhome>/hf-updates\hf-2021-00014-330296

D
default8vn6shtsmayn
Participating Frequently
June 21, 2024

Yes, we tried to hew to the CF2021 Hardening Guide as closely as we could.
Log file is below.

charlesm83589680
charlesm83589680
Participant
June 13, 2024

Not sure if others are seeing this. In my dev environment, after the update, setting -Dcoldfusion.encryption.useCFMX_COMPATAsDefault =TRUE causes the CF instance to fail to load

 

coldfusion-out.log:

Jun 13, 2024 10:48:45 AM Information [main] - ColdFusion: application services are now available
Jun 13, 2024 10:48:46 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:48:46 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:54:46 AM Information [Thread-24] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [FelixStartLevel] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [Thread-24] - ColdFusion stopped

 

Server log:

 

Jun 13, 2024 10:48:45 AM Information [main] - ColdFusion: application services are now available
Jun 13, 2024 10:48:46 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:48:46 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:54:46 AM Information [Thread-24] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [FelixStartLevel] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [Thread-24] - ColdFusion stopped

 

 

charlesm83589680
charlesm83589680
Participant
June 13, 2024

Problem solved! The note above has a space in front of the = sign. Taking that out worked.

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    June 13, 2024

    Yep, Charles. Glad you sorted it. I was about to tell you, when I saw you'd responded already.

    And everyone (including Adobe): please note that the problem is not only in Saurav's post here but also in both the technotes. Please get that changed, before more people suffer for this. (Someone had informed me earlier about it. I was actually looking for that, as well as confirming it myself, and checking out those technotes, which is why I didn't reply sooner. Whoever that was, let me know again. I'll add a note about this on my blog post as well, and I'd like to give credit.)

    /Charlie (troubleshooter, carehart. org)
    M
    MarkAtCU
    Inspiring
    June 12, 2024

    I've tried to install this twice now, and cannot load the cf admin page once the process is done. I receive the following exception in the coldfusion-error.log and a 500 error in the web browser. I'm running ColdFusion 2021 on Windows and upgrading from patch 13. I've tried this on both JDK 11.0.10 (old I know, but that is what I am currently running) and 11.0.23 and receive the same error.

    Jun 12, 2024 1:29:18 PM org.apache.catalina.core.ApplicationContext log
INFO: failed to load: coldfusion.CfmServlet
Jun 12, 2024 1:29:18 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Allocate exception for servlet [CfmServlet]
java.lang.NullPointerException
	at coldfusion.CfmServlet.init(CfmServlet.java:99)
	at coldfusion.bootstrap.ClassloaderHelper.initServletClass(ClassloaderHelper.java:137)
	at coldfusion.bootstrap.BootstrapServlet.init(BootstrapServlet.java:111)
	at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1106)
	at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1063)
	at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:747)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:116)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:834)

     

      H
      Adobe Employee
      hannah18
      Adobe Employee
      June 13, 2024

      @MarkAtCU Can you please check the update installation logs for any errors? 

      Location : <cfhome>/hf-updates\hf-2021-00014-330296

      M
      MarkAtCU
      Inspiring
      June 13, 2024

      @hannah18Yes, there were errors (more details below):

      336 Successes
1 Warnings
2 NonFatalErrors
4 FatalErrors

       

      However, I just discovered that JVM 11.0.23 throws additional errors with my site even before the update. And, I discovered that in my haste yesterday, I never did actually update using the JVM 11.0.10. I reverted everything back to start fresh (on my test server) and was able to successfully install Update 14 on JVM 11.0.10.

       

      The errors seem to center around the hotfix temp files. I had all the processes stopped, but received 4 of these errors:

      Failed to copy hotfix files:[path]\392038.tmp\dist\updates: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

Failed to copy hotfix files:[path]\392038.tmp\dist\updates
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:[path]\cfusion\lib\updates
FATAL ERROR - [path]\392038.tmp\dist\updates (The system cannot find the file specified)

       

        C
        christopherr89853116
        Participating Frequently
        June 12, 2024

        FYI, This might just be me, but after applying the update, Jetty/lib/ext folder was removed causing Solr to not load. I restored the folder and any .jar files. Restart service and Solr is working again.

          C
          christopherr89853116
          Participating Frequently
          June 12, 2024

          Running ColdFusion 2021 on Windows

          S
          sdsinc_pmascari
          Legend
          June 12, 2024

          Is there a way to set that CFMX_COMPAT flag as an application variable?  I know this has been possible in the past with other Java flags.

          I ask because we have a potential issue we need to look at but don't want to apply the flag server-wide while the team looks into the issue.

          S
          Adobe Employee
          satyam-mishra
          Adobe Employee
          June 12, 2024

          @sdsinc_pmascari 
          We don't have anyway to enable this behaviour at application level.


          T
          TheRealMC
          Inspiring
          June 11, 2024

          Hi Saurav,

           

          Could you give some clarification on the second bullet point under 'Change in default algorithm'?

           

          • Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to make the change. By default, the value is False, if you need to use CFMX_COMPAT.

           

          The setting name 'useCFMX_COMPATAsDefault' suggests that setting it to TRUE maintains current behaviour, whereas setting it to FALSE allows the new changes to take effect. Please could you confirm the behaviour for each value?

           

          Best regards,

          Mike.

          S
          Adobe Employee
          satyam-mishra
          Adobe Employee
          June 12, 2024

          @TheRealMC 
          The default encryption algorithm is no more CFMX_COMPAT.
          If you want to use CFMX_COMPAT as default encryption algorithm, use -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE.



          T
          TheRealMC
          Inspiring
          June 12, 2024

          Many thanks for the confirmation.

          Show more replies
          Terms & ConditionsAccessibility statement
          Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices