NOW LIVE! Adobe ColdFusion 2023 and 2021 March 2024 security updates

Forum|Forum|1 year ago
March 12, 2024
11 replies
21769 views

Revision history

13 Mar 2024: Added the impacted scopes and related code samples to both the tech notes.
14 Mar 2024: Add the Docker image locations of the updates.

We are pleased to announce that we have released security updates to ColdFusion (2023 release) Update 7 and ColdFusion (2021 release) Update 13.

This update includes several security fixes to ensure the safety and security of our systems. These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.

For more information, view the security bulletin, APSB24-14.

Where do I download the updates from

Download the updates from the following locations:

These updates address some significant changes in variable scope and cfdocument. In addition, we've updated a few libraries and packages.

For more information, view the following tech notes:

Are the Docker images available

The images are available on the Docker hub and ECR.

Please update your ColdFusion versions and provide us with your valuable feedback.

This topic has been closed for replies.

Show previous replies

Charlie Arehart

Community Expert

It's very important that people read the technote before "just applying this update". There is a very important (and fundamental) change in how CFML processes variables, with regard to searching for scopes when no scope is indicated on a variable name (at least in many cases. See newer comments below.), as the update changes CF's default behavior for an application setting called searchimplicitscopes. That was introduced in CF2016, and it defaulted to true, but this update changes that to default to false.

This is almost certainly a BREAKING change in many CF apps--and it's a change Adobe has implemented for the sake of security, it seems. For more on that, see the technote. (Update: for more on what apps might break, see my later comments below.)

At a minimum I want to call out that if you may have code that WOULD break (with the second two being for when you must favor compatibility over security), there are 3 available solutions to the problem. You can either:

change your code (to scope variables as needed)
change your application.cfc or cfm to enable searchimplicitscopes=TRUE
change ALL CF processing by adding instead a JVM argument to CF's startup
- ```
-Dcoldfusion.searchimplicitscopes=true
```

These are discussed further in the technote. And note that this new JVM arg will NOT be supported in the next and future releases, so you will NOT be able to rely on that 3rd option beyond CF2023. You will instead need to consider either of the first two options.

(I'm just a messenger here. I have nothing to do with the change or how it was implemented. I just help people solve problems, and this is going to be one for many as they deal with it, and for a long time to come as they later a) apply this update, b) move to CF2021/23 and apply this update, or c) move from earlier cf versions to later ones.)

There's also much more to the update beyond this one issue, so again READ the update technote. Update: read also the many comments here as well as a blog post I did that night of the update (taking into consideration many of the comments and questions raised here).

/Charlie (troubleshooter, carehart. org)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded