Coldfusion Vulnerability Message

Report · Jan 23, 2025

Hi there,

We have Coldfusion 2021 and are on update 18. However we have some security software reporting a vulnerability and it turns out the file bundlesdependency.json under the folder C:\ColdFusion2021\bundles has references to version 2021.0.0.323925. I can see jar files in that folder for each of the bundles it is referencing. Do I simply update the version in the bundlesdependency.json file to be the latest version number for that file? For for example awslambda has these files in that folder:

awslambda-2021.0.0.323925.jar

awslambda-2021.0.02.328618.jar

awslambda-2021.0.05.330109.jar

awslambda-2021.0.11.330247.jar

awslambda-2021.0.17.330334.jar

Do I simply update the value from 2021.0.0.323925 to 2021.0.17.330334 as below?

"bundle" : "awslambda",
"version" : "2021.0.17.330334", -- HERE
"description" : "The awslambda package helps you invoke AWS lambda functions"

I would take a copy of the bundlesdependency.json file before obviously in case I needed to roll back. Why did this file not get updated when I update Coldfusion? Sorry I am a newbie so this might be a simple question 🙂

Report · Jan 24, 2025

Hi @richardp38200787

You can install the latest update as ColdFusion updates are cumulative however, there are updates which contain bug fixes and before you apply this in production, you need to test your application thoroughly.

You have to go through the release notes as there are breaking changes.

Please let us know if you face any issue.

Thanks,
Priyank Shrivastava

Report · Jan 24, 2025

Hi @richardp38200787 ,

Don't worry. There is is good news.

You don't have to update awslambda! The fact that your ColdFusion 2021 installation has Update 18 means your installation is already up-to-date. 🙂
In other words, you have already installed awslambda-2021.0.17.330334.jar.

To confirm this, proceed as follow:

Open the ColdFusion Administrator and navigate to Package Manager > Packages > Installed Packages.
Click on the widget awslambda. You will see that the "Installed Version" is 2021.0.17.330334.
At the bottom of the page, you can see that the "Available Versions" are

awslambda-2021.0.17.330334.jar (Current)
awslambda-2021.0.11.330247.jar

awslambda-2021.0.05.330109.jar
awslambda-2021.0.02.328618.jar
awslambda-2021.0.0.323925.jar

ColdFusion is holding on to the older Jars (awslambda-2021.0.11.330247.jar, awslambda-2021.0.05.330109.jar, awslambda-2021.0.02.328618.jar, awslambda-2021.0.0.323925.jar ) for users who may want to downgrade to an older version.

Report · Jan 24, 2025

Adding to Priyank and BKBK's responses, you haven't said what was the "vulnerable" file that was found by your sec folks. Please let us know.

I'd be surprised it was the bundlesdependency.json file. That just lists what package jars COULD be installed. As bkbk noted, your log line indicates you have update 17 of that awslambda package. Indeed, it's not even clear that that package is your real concern. I sense instead that you just found that referenced in the json file and your raised it as an example. Please confirm.

Again, that file holds the names of ALL packages and their jars, as are available in the bundles folder, and as were placed there by the download of an update.

And while you COULD edit the json file to remove old references, that's not "where" any vuln is going to be, per se (that file). And while the jars in that bundles folder are pointed to by that file, even THOSE are not going to themselves be a vuln, because cf does not "load all files there" at startup, nor are they accessible to cf code. That's important 5o note.

Instead, those files are used by cf to IMPLEMENT whatever package you choose to INSTALL within cf, whether via the CFAdmin page as bkbk noted, or via the cfpm cli tool. In other words, even if some old package is NAMED in that file or EXISTS in that bundles folder, that doesn't itself indicate that any sec vulnerability. What's INSTALLED is what matters.

Sadly, a lot security people or tools "don't care" to consider this: to them if a vulnerable file exists anywhere Ona server, they want it gone. It's a rather hamfisted approach, but they often are responsible for many apps on a server--and indeed often many servers. They may "not have time" to know such facts or even to consider them, though sometimes you might get them to do so.

Assuming you could not, then as BKBK noted, if you WERE to try to remove such references in that json file (or files in that folder), you and your folks need to understand that you'd lose the ability to downgrade to the older updates they relate to. And even if you/rhey KNOW you'd "never want to downgrade", you'd have to be VERY careful in such editing or removal. It's nothing Adobe provides for or documents that I know of.

This brings me back to my original question: what's the actual vulnerability that your scan found? All this may be unrelated to the real solution to that problem. As always, just trying to help. No condescension intended at all.

/Charlie (troubleshooter, carehart.org)

Report · Jan 26, 2025

Hi,

Thank you all so much for the information, it is really helpful and I will go back to our security team with this information.

Regards

Report · Jan 27, 2025

No worries. Keep us informed of the result.

Report · Jan 27, 2025

I have provided this information to our security department and they have acknowledged that this is not actually a security vulnerability so we are all good. Thanks again for the info you provided, I learnt something in the process which is always a good thing! Have a nice day.

Coldfusion Vulnerability Message

1 Correct answer