Adobe Coldfusion Update (Security Issue)

Report · Dec 13, 2024

Hello CF Community,

I have an application that i am supporting where i need to apply the latest patch to the CF server. Curently we are running 2021 and the servers are patched till update 9.

My team specifiacally does not have experience with applying the latest patch. So my question is can i install the latest update which is 17 right now directly or do i need to do incremental updates?

When checking from CF admin on the servers it can not find the latest update when i click on check for updates. so we will be doing it manually. What files are needed for manual installation of the update.

Since we will be doing a manual update can you guys help with any SOPs that might be helpful or list out steps for doing this with info much as possible. Also please let me know if i need to check anything prior.

Thanks in advance.

Report · Dec 24, 2024

Also, Forrest, do you realize you may not NEED to be bothering with that download of the package repository? (I'm assuming from your referring to bkbk's steps that you're doing it manually, versus this being done by cf automatically during a update).

To be clear, the only people who NEED to download the repo manually are those who can't LET the normal cf update mechanism download it automatically, and usually that's because their server is offline (no internet access). That's discussed in the update technotes.

And maybe yours is offline. I just want to be sure. I also want to avoid people doing this needlessly.

As a reminder, this thread of Harshp's started off with his only needing to do it because he found the cf admin would not let him download updates. He didn't say he his server was offline. I suggested originally that this could happen if the jvm running cf was outdated. Had he solved that, I don't think the rest of his troubles would have happened. Whether that's true or not, again it's rare that someone should need to download the repo manually. That's my main focus with this comment. (As such, it's rare in my observation to hear of snyine complaining about the timeouts you're observing. Bkbk seems to have seen otherwise. )

/Charlie (troubleshooter, carehart.org)

Report · Dec 24, 2024

I am trying to do it manually because package manager attempt to update core and all packages to 17 said it worked but it did not as right after the updates things started failing on the production sites, for example tring to use cachedwithin on any query failed because caching was not actually installed, and even though it say it is installed it is not. In other words doing the updates the way we are supposed to daid it worked fine and core and all packages show as installed in latest version, yet some of them did not install and even using cfpm to install individual packages says it works but them the cfpm audit log shows strange stuff when an instance is restarted for example starts deploy of pmtagent bundle thenimmediately uninstalls it and the felix package?

Report · Dec 24, 2024

@forrestmahannah , I am sorry to hear that you're still having problems with installing the packages. Let's have a look together.

Restart the ColdFusion installation that is giving problems. Then share the following files with the forum:

/logs/cfpm-audit.log;
/logs/http.log;
/lib/neo-updates.xml;
A printscreen of the page you get when you navigate in the ColdFusion Administrator to Package Manager > Packages > Installed Packages (including all the displayed packages) ;
A printscreen of the page you get when you navigate in the ColdFusion Administrator to Package Manager > Packages > Available Packages (including all the displayed packages) ;

Report · Dec 25, 2024

I have a guy from adobe trying to help, but it is not going well. He had me try a cfpm uninstall and then install on the instance and the results were bad, blank page in cf admin package manager for that instance and all caching on that site failed. I actually had to create a new instance to replace it and on that instance all packages installed correctly.

But here is an excerpt from the audit log showing what was happening with the pmtagent package on the instance I replaced: notice it deploys then immediately removes it

"Information","http-nio-8502-exec-6","12/24/24","13:27:09","cfadmin","The following packages will be installed : pmtagent:2021.0.17.330334"
"Information","http-nio-8502-exec-6","12/24/24","13:27:09","cfadmin","Deploying bundle : pmtagent"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/slf4j-api-1.7.12.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/slf4j-log4j12-1.7.12.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/commons-net-3.6.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/disruptor-3.3.7.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/joda-time-2.8.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-core-analyzers-common-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-queries-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-analyzers-smartcn-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-backward-codecs-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucenedemo-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-grouping-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-join-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-memory-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-highlighter-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-misc-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-sandbox-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-queryparser-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-spatial3d-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-spatial-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-spatial-extras-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/lucene-suggest-6.6.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/jna-5.6.0.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/jna-platform-5.6.0.1.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/threetenbp-1.3.6.jar"
"Information","pool-57-thread-1","12/24/24","13:27:09","","Installing the package : C:/ColdFusion2021/bundles/repo/oshi-core-5.3.7.jar"
"Information","http-nio-8502-exec-6","12/24/24","13:27:09","cfadmin","Installing the package : C:/ColdFusion2021/bundles/perfmon-2021.0.17.330334.jar"
"Information","http-nio-8502-exec-6","12/24/24","13:27:10","cfadmin","ServiceRegistration for package : pmtagent started"
"Information","http-nio-8502-exec-6","12/24/24","13:27:15","cfadmin","Uninstalling the package : felixclassloader"
"Information","http-nio-8502-exec-6","12/24/24","13:27:15","cfadmin","Uninstalling the package : pmtagent"
"Information","http-nio-8502-exec-6","12/24/24","13:27:15","cfadmin","Stopping package : pmtagent"
"Information","http-nio-8502-exec-6","12/24/24","13:27:16","cfadmin","Uninstalling the package : sniffer-5.3.2"
"Information","http-nio-8502-exec-6","12/24/24","13:27:16","cfadmin","Uninstalling the package : oshi-core-5.3.7"
"Information","http-nio-8502-exec-6","12/24/24","13:27:16","cfadmin","Uninstalling the package : threetenbp-1.3.6"
"Information","http-nio-8502-exec-6","12/24/24","13:27:16","cfadmin","Uninstalling the package : elasticsearch-5.6.16"
"Information","http-nio-8502-exec-6","12/24/24","13:27:16","cfadmin","Uninstalling the package : elasticsearch-rest-client-5.6.16"
"Information","http-nio-8502-exec-6","12/24/24","13:27:16","cfadmin","Uninstalling the package : jna-platform-5.6.0.1"
"Information","http-nio-8502-exec-6","12/24/24","13:27:16","cfadmin","Uninstalling the package : jna-5.6.0"
"Information","http-nio-8502-exec-6","12/24/24","13:27:16","cfadmin","Uninstalling the package : disruptor-3.3.7"
"Information","http-nio-8502-exec-6","12/24/24","13:27:17","cfadmin","Deploying bundle : felixclassloader"
"Information","http-nio-8502-exec-6","12/24/24","13:27:17","cfadmin","Installing the package : C:/ColdFusion2021/bundles/felixclassloader-2021.0.0.323925.jar"
"Information","http-nio-8502-exec-6","12/24/24","13:27:17","cfadmin","ServiceRegistration for package : felixclassloader started"

Report · Dec 25, 2024

Forrest, snce your newly created instance is working, are you simply sharing this info from the failing one as a final FYI?

Bkbk had asked for more. And perhaps with that info it may be possible to diagnose what's going. It's clearly something odd.

And it's certainly unfortunate to hear that the free assistance offered by Adobe didn't help. I'll say I've helped many people solve such package mgt problems, via an online remote screenshare consulting sessiion, as I offered previously to harsh. You won't pay for time you don't find valuable. More at carehart.org/consulting.

But feel free to reply with what bkbk asked for, and perhaps he or I or someone else may see something. I just find that there's often no substitute for looking at things directly as there can be many variables at play, which can avoid a lot of back and forth here. Your call.

/Charlie (troubleshooter, carehart.org)

Report · Dec 25, 2024

Still working out issues with package updates, but I think the automatic uninstall of pmtagent might have something to do with the latest security patch?

Also, the new instance I created is running but the connector is denying access to any urls using CFIDE. This is new for me and likely for security but I have legacy sites that hardcoded paths to the ajax scripts and these are now broken. Per a post I replaced the isapi_redirect.dll with the older one that did work and restarted everything and access is still blocked? Is there any workaround or am I missing something?

Thanks and Merry Christmas!

Report · Dec 25, 2024

Forrest:

First, to be clear the latest cf update does NOT itself REMOVE the pmtagent. Instead it updates it. Oddly, your log shows it being installed and then un-installed. That doesn't seem normal.

That said, it IS true that when any update DOES include a package update, that is implemented on the post-update cf restart which follows, and that DOES first uninstall and then install the package update. But again yours shows the reverse, being installed and the uninstalled.

Second, as for the CFIDE access issues, I'll say this is going quite afield from the original post. But to be clear, the blocking you refer to is not "new". It was introduced with the connector update provided with the cf updates of Oct 2023, in your case on that was update 11. The technote for it mentions it only briefly.

You could have been beyond that update for over a year but just had never updated your connector (wsconfig) until recently, thus breaking your use of CFIDE via an external web server like iis or apache, when using this connector.

As for your reverting to the old dll (when using iis), that workaround is not alone sufficient. That's because Adobe had ORIGINALLY blocked this CFIDE access starting in cf2016. Folks since then would need to modify also the connector's uriworkermap.properties file to comment out ITS block of such CFIDE urls. But it was this connector update on Oct 2023 that now defeated even that workaround.

And all this (for the past 8 years) has been because Adobe's trying to protect people from vulnerabilities caused by the CFIDE folder being accessible via an external web server like iis or apache.

Sure, some decry they NEED that, so they do as you did, reverting that dll (or the .so file for apache). You just also need to address the properties file as well. But all this comes at real risk. Adobe feels you should NOT be doing it. There are other ways to maintain protected access to the cf admin by way of the built-in web server and its non-standard port like 8500. Some want to fight Adobe on this tooth and nail. (Others claim that DOD "STIG" rules force them to. Those rules are very outdated, being written for cf11.)

Again, though, this is way off topic for this post. You really should consider either opening a new post or finding and adding to others that have discussed this matter.

/Charlie (troubleshooter, carehart.org)

Report · Dec 25, 2024

I recoded the app to use correct script src urls. I will stop adding to this post.

Report · Dec 25, 2024

Forrest, the scriptsrc setting has not related to the CFIDE folder since cf2016, when Adobe split the cf_scripts folder out of the CFIDE folder to instead be now a SIBLING to it.

If you mean you had somehow overridden that scriptsrc admin settings to point again at the CFIDE folder, that would indeed now be blocked by the connector change as well as the uriworkermap.properties file block.

Good that you've solved that tweak you'd made. Hope all the details I offered might also help future readers who may find this thread.

/Charlie (troubleshooter, carehart.org)

Report · Dec 25, 2024

Still working out issues with package updates, but I think the automatic uninstall of pmtagent might have something to do with the latest security patch?

Also, the new instance I created is running but the connector is denying access to any urls using CFIDE. This is new for me and likely for security but I have legacy sites that hardcoded paths to the ajax scripts and these are now broken. Per a post I replaced the isapi_redirect.dll with the older one that did work and restarted everything and access is still blocked? Is there any workaround or am I missing something?

By @forrestmahannah

We might get a clue from the logs or from the ColdFusion Administrator. However, you seem to have overlooked the 5 pieces of information I requested. In spite of reminders from Charlie.

Adobe Coldfusion Update (Security Issue)

1 Correct answer