UPDATE RELEASED: ColdFusion security updates 14 & 4 released for CF2021 & CF2018.

I have the following problem: After installing update 14 (CF 2018 release, Windows Server 2016, patched), the CF-service starts normally but it is no longer possible to access it.

- Connecting to the CF internal webserver throws an error 500
- Connection through IIS triggers the following error in isapi_redirect.log:

[info] jk_open_socket::jk_connect.c (816): connect to 127.0.0.1:8018 failed (errno=61)
[info] ajp_connect_to_endpoint::jk_ajp_common.c (1140): (cfusion) Failed opening socket to (127.0.0.1:8018) (errno=61)
[error] ajp_send_request::jk_ajp_common.c (1811): (cfusion) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=61)
[info] ajp_service::jk_ajp_common.c (2982): (cfusion) sending request to tomcat failed (recoverable), because of error during request sending (attempt=2)
[error] ajp_service::jk_ajp_common.c (3003): (cfusion) connecting to tomcat failed (rc=-3, errors=10, client_errors=4).

I've tried different things:
- Uninstall the update manually (CF Admin not available): no change

- Rollback + Installing the update manually: same result
- Updating the connector, adopting various working settings from our testing-System (where the security update 14 was no problem): unfortunately no success

My questions:

- Is there also a log file form the CF internal webserver?

- I suspect there is a problem with the Tomcat 9.0.60 update. Are there any specifig logs or test possibilities to identify the problem?

Thanks,

Patrick

Two questions:

1.

How come your Update 4 details on https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-updates.html do not include a "Hotfix and packages repository" which your instructions expect - hence the instruction to "Unzip the repository".

2.

Have you updated any base installers that include Update 4? Or are we expected to apply the hotfix even if we download the latest installers. If you do have an updated installer (in my case the "Adobe ColdFusion 2021 Windows 64 Bit GUI Installer"), where would I find it?

@Priyank Shrivastava. , could you please clear up one source of confusion. You will find the following on the security page, https://helpx.adobe.com/security/products/coldfusion/apsb22-22.html :

 

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   

 

Consider the usual, standalone ColdFusion installation. That is, a ColdFusion installation that is not installed as a JEE web application deployed on a JEE application server such as WebLogic, Tomcat or WildFly. 

The question is, do you have to apply the jdk.serialFilter flag to such a standalone ColdFusion?

Could you please clarify. Confusion arises because a standalone ColdFusion installation still runs on Tomcat, albeit not as a deployed JEE web application. . 

Thanks, @Priyank Shrivastava. and Team.

At last a Tomcat upgrade to 9.0.60, thereby averting the vulnerability CVE-2021-42340

Good show!

It appears that this hotfix is security related and not feature related.  With CF2018 hotfix 12 we installed hf201800-4212383.jar for the query of queries issue that was introduced with that release.  We had to manually apply it for CF2018  hotfix 13, as well.  I suspect we have to apply it after this CF2018 hotfix 14, as well?

Thanks,

Jeff