[RELEASED] ColdFusion 2018/2021/2023 July 19 Security Updates

Correction to my post: 

Why has the Update 9 not been detected this morning.

Marv, while you await their reply, let me offer some thoughts (as one who spends my day helping people with these matters).

FWIW, this situation is not new (nor quite as drastic as you may reasonably fear).

First, yes, the new jvm updates came out on Tuesday the 18th (and I blogged about them that day, to share that news for those who may follow/subscribe to carehart.org/blog. I also tweet news of my posts and share them on Facebook and Linkedin).

And second, yes, Adobe for some reason has nearly always dragged their feet in getting that latest Java update into that download page of theirs. I don't understand it, as the Java update dates are scheduled and quarterly (yes, even these "critical patch" updates as Oracle calls them). The next is Oct 17, as indicated here. 

Third (and as I note in my posts about them), one CAN just get the jvm from Oracle directly, for free. I've compared the binaries with what's posted on the Adobe site, and they're identical.

Fourth, as for "what jvm update" we should use with CF to be "most secure," what they clarify is that you should be on the latest update for the jvm version that your cf version supports. That apsb mention of that then points to the support matrix for each cf version, which indicates that (currently), cf2021 and cf2018 support only Java 11, while cf2023 alone supports only Java 17.

Finally, as for this latest Java update of this week, I'll note that the Oracle security bulletin for it indicates that each is "difficult to exploit", as in quoted also in my post. So despite the general warning that Adobe makes, it seems it may not be QUITE as urgent to be on that update as you are reading it to be.

Still, I get it: when it comes to security, some will WANT to be as secure as possible, while others will feel they MUST be. (And some want to hear only from the vendor, not anyone else.) 

So could Adobe make all this still more clear and explicit? I suppose so. They don't. 

And I'm replying here not to disagree with you, but to help you and others both now and for each subsequent update. It simply seems that our cries for improvement are not being heeded, despite asking again and again. And some Adobe folks cower behind "security being something they can't talk about", to just let these issues linger, it seems. It's really dismaying, but it is what it is.

So I post what I do (about each cf and Java update) to help, and to serve the community.. As the saying goes, it's better to light one candle than to curse the darkness.

I appreciate your question, and until they reply I hope this is helpful, sincerely. 

That's a curious question, which I've honestly never seen asked. In case they're slow (or may opt not) to reply, can you elaborate on your motivation? Are you assessing the timing relative to some other resource? Or relative to a vuln you found? I realize you may prefer NOT to say why you ask, but perhaps you won't mind, and it is something curious.