LIVE! ColdFusion 2023, 2021, and 2018 July 2023 Security Updates

Report · Jul 11, 2023

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In these updates, we’ve fixed a few security bugs mentioned in the security bulletin, APSB23-40.

We’ve also refreshed ColdFusion lockdown installers. You can find the refreshed installers on the ColdFusion downloads page.

For more information, see the tech notes below:

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

Report · Jul 11, 2023

As of 1:54PM ET 11th July 2023 there is no download link for CF 2021 HF7 "Hotfix and packages repository:". Currently there is just the .jar file.

Report · Jul 11, 2023

In the security bulletin about this, it also says:

Note: Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details.

But I can't find any refernce to what JRE version we should be upgrading to, and which are supported.

Is there anydocumentation I can refer to regarding which JREs are support?

Report · Jul 11, 2023

Hello Jason,

For Coldfusion 2021/2018 you need to download JRE 11 , for Coldfusion 2023 you need to download jre 17

You can download JRE's from below link

https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#downloads3

Thanks & Regards

Ravi

Report · Jul 11, 2023

Or folks can just use the JVM that CF is set to run with, of course. It's unfortunate that that security bulletin has that sloppy language. Several people in the community and clients of mine are raising concern about it.

FWIW, I have addressed it as the last point in my blog post on the update, posted earlier today, which may have other info of interest to readers of this post:

https://www.carehart.org/blog/2023/7/11/coldfusion_p1_security_update_july_2023

And Ravi, there some other matters I discuss there which could be easily rectified if someone could give them even just a little attention. As always, just trying to help.

/Charlie (troubleshooter, carehart.org)

Report · Jul 12, 2023

So just for clarification, if you run this update through the Admin UI, do you also need to update the JRE to the latest version for the updates to be effective on 2018 and 2021?

Report · Jul 12, 2023

If you run the update via the admin, the question of Java version is of no significance. That uses the Java that cf uses.

But of course, there IS significance to keeping that Java (which cf uses) kept updated to the latest Java version supported by that Cf version. I have a table with that info that I keep updated here:

https://coldfusion.adobe.com/2021/01/table-of-java-to-cf-versions/

(I need to update it to add cf2023, which DOES support ONLY Java 17, while the others still do not.)

/Charlie (troubleshooter, carehart.org)

Report · Jul 12, 2023

You've also not explained why this update does not include the "Hotfix and packages repository:" link that has been provided for all of the previous 6 ColdFusion 2021 Hotfixes. At the minimum simply state that it is not necessary instead of leaving it out there to be assumed. Thanks.

Report · Jul 12, 2023

As of July 12, 2023 1:34 pm ET, here are some questions for Adobe team

1. what version of Java you recommend for CF 2018 from the below list that is available for download here https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#downloads3?

Also, Adobe says there is 1 year extra EOL support for CF 2018 till July 2024. What does that look like? No patches at all or help as needed by customers?

JAVA SE 11.0.19 (LTS)
JAVA SE 11.0.18 (LTS)
JAVA SE 11.0.17 (LTS)
JAVA SE 11.0.16.1 (LTS)
JAVA SE 11.0.16 (LTS)

2. Is this hotfix applicable to people who used the lockdown installer ONLY or others as well? If someone didnt use the lockdown installer, can you please explain what this hotfix is doing or affecting?

3. Like Charlie mentioned, these announcements can be better worded. I can help Adobe team and I am sure Charlie/Others can if He is provided some input before these are posted out which is causing more confusion than helping anyone.

Thanks,

Report · Jul 14, 2023

@Saurav_Ghosh , RaviShankar or anyone from Adobe, can you please clarify on some of these questions ?

Report · Jul 13, 2023

Only the jar file is still available. The hotfix file is still missing. An MD5 hash is given, so there should be a file.

Report · Jul 14, 2023

Security Update 2 page has broken link for the security bulletin here:
https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-2.html

Can't see the details of the update.

Report · Jul 14, 2023

As of July 14 Friday 4:08 pm ET, For folks who were following this discussion, another hotfix was just released by Adobe. I came to know as I finished patching a server and sure enough there was another hotfix waiting in the line. 🙂

ColdFusion (2018 release) Update 18 https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-18.html

The https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html link is broken as of right now. I am guessing they are actively working on it.

Thanks,