Update (6/12): Minor edits in the default algorithm section. Added links to Docker images. Update (6/13): CFFiddle is updated with the updates. Removed extra space in -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE Update (6/21): Changed the checksum of the CF 2023 packages. Thank you @Legorol We are pleased to announce that we have released security updates to ColdFusion (2023 release) Update 8 and ColdFusion (2021 release) Update 14. This update includes several security fixes to ensure the safety and security of our systems. These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy. For more information, view the security bulletin, APSB24-41. Where do I download the updates from Download the updates from the following locations: ColdFusion (2023 release) Updates ColdFusion (2021 release) Updates What do these updates contain Change in default algorithm The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions. Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to revert the change. By default, the value is False, The flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion. CFdocument access control issues We've introduced a new JVM flag: -Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE. However, in the next major release of ColdFusion, we WILL remove the flag. Package updates The following packages have been updated: document htmltopdf presentation pdf print report Solr upgrade If you manually upgraded Solr to version 8.11.2 using the instructions in Upgrade SOLR to mitigate security risks in ColdFusion, then after installing Update 8, SOLR will not downgrade to version 7.9. For more information, view the following tech notes: ColdFusion (2023 release) Update 8 ColdFusion (2021 release) Update 14 Are the Docker images available The images are available on the Docker hub and ECR. Please update your ColdFusion versions and provide us with your valuable feedback.

S

Saurav_Ghosh

Community Manager

Question

NOW LIVE! Adobe ColdFusion 2023 and 2021 June 2024 security updates

Forum|Forum|1 year ago
June 11, 2024
11 replies
9833 views

Update (6/12):

Minor edits in the default algorithm section.
Added links to Docker images.

Update (6/13):

CFFiddle is updated with the updates.
Removed extra space in -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE

Update (6/21):

Changed the checksum of the CF 2023 packages. Thank you @Legorol

We are pleased to announce that we have released security updates to ColdFusion (2023 release) Update 8 and ColdFusion (2021 release) Update 14.

This update includes several security fixes to ensure the safety and security of our systems. These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.

For more information, view the security bulletin, APSB24-41.

Where do I download the updates from

Download the updates from the following locations:

What do these updates contain

Change in default algorithm

The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions.
Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to revert the change. By default, the value is False,
The flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.

CFdocument access control issues

We've introduced a new JVM flag: -Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.

However, in the next major release of ColdFusion, we WILL remove the flag.

Package updates

The following packages have been updated:

document
htmltopdf
presentation
pdf
print
report

Solr upgrade

If you manually upgraded Solr to version 8.11.2 using the instructions in Upgrade SOLR to mitigate security risks in ColdFusion, then after installing Update 8, SOLR will not downgrade to version 7.9.

For more information, view the following tech notes:

Are the Docker images available

The images are available on the Docker hub and ECR.

Please update your ColdFusion versions and provide us with your valuable feedback.

Security

This topic has been closed for replies.

Show previous replies

Charlie Arehart

Community Expert

Thanks as always for the heads-up, Saurav. That said, readers here really MUST read the technote linked to above (for either CF2023 or 2021) for more detail, and to more fully understand what will happen on doing this update, including both the jvm config choice AND the more important practical steps to take to migrate any existing encrypted data (that you've encrypted with your CFML code) to use a new algorithm.

I've not had a chance to try this, but can anyone confirm/state explicitly that this has nothing to do with passwords encrypted by the CF Admin, such as its login, or passwords for datasources, scheduled tasks, and the like? I'm inclined to think it does not, or it would have said so. But I'm sure people will ask. (It's perhaps unfortunate that the technotes currently refer to "passwords" as the values people may neet to update. I suspect that's written under the preumption that people were encrypting their own user passwords, created with their own code, and thus again NOTHING to do with CF admin passwords.)

BTW, I would normally dig into this before even writing, but I'm in Germany as I speak, having just arrived early today for CFCamp this week. It's late as I see this, 7 hours ahead of my normal US Central time and I've been up all day--and the flight was all night getting here, so I'm out of steam to investigate tonight!

/Charlie (troubleshooter, carehart. org)

Brian__

Participating Frequently

@Charlie Arehart As far as I know, none of the encrypted passwords in CFAdmin use CFMX_COMPAT. I can say with certainty admin login and RDS do not.

And - acknowledging the work to find and refactor impacted code – I’d applaud breaking changes with the end goal of a more secure default environment as a good thing (albeit a painful process). Vulnerable legacy code that runs on a fully-patched platform is still vulnerable code.

On the CFMX_COMPAT change specfically -- The new default algorithm of AES/CBC/PKCS5Padding is probably the best choice, but it’s now also very important for developers to check the integrity of any user-controlled ciphertext (for example, if it’s passed in a cookie or a URL parameter) with an HMAC or similar technique to avoid padding oracle vulnerabilities. Pardon the shameless self-linking 🙂 , but I’ve written about padding oracles and CFML previously for those who may want a little more detail - https://www.hoyahaxa.com/2023/07/on-coldfusion-aes-and-padding-oracle.html

Charlie Arehart

Community Expert

Thanks, Brian (for that and the issue you raised that led to this change).

/Charlie (troubleshooter, carehart. org)

CFdocument access control issues

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded