• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

LIVE! ColdFusion 2023, 2021, and 2018 July 2023 Security Updates

Adobe Employee ,
Jul 11, 2023 Jul 11, 2023

Copy link to clipboard

Copied

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In these updates, we’ve fixed a few security bugs mentioned in the security bulletin, APSB23-40.

We’ve also refreshed ColdFusion lockdown installers. You can find the refreshed installers on the ColdFusion downloads page.

For more information, see the tech notes below:

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

Views

1.6K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 11, 2023 Jul 11, 2023

Copy link to clipboard

Copied

As of 1:54PM ET 11th July 2023 there is no download link for CF 2021 HF7 "Hotfix and packages repository:".  Currently there is just the .jar file. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 11, 2023 Jul 11, 2023

Copy link to clipboard

Copied

In the security bulletin about this, it also says:

 

Note: Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details.

 

But I can't find any refernce to what JRE version we should be upgrading to, and which are supported.

 

Is there anydocumentation I can refer to regarding which JREs are support?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 11, 2023 Jul 11, 2023

Copy link to clipboard

Copied

Hello Jason,

 

For Coldfusion 2021/2018 you need to download JRE 11 , for Coldfusion 2023 you need to download jre 17

You can download JRE's from below link

https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#downloads3

 

Thanks & Regards

Ravi

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 11, 2023 Jul 11, 2023

Copy link to clipboard

Copied

Or folks can just use the JVM that CF is set to run with, of course. It's unfortunate that that security bulletin has that sloppy language. Several people in the community and clients of mine are raising concern about it.

 

FWIW, I have addressed it as the last point in my blog post on the update, posted earlier today, which may have other info of interest to readers of this post:

https://www.carehart.org/blog/2023/7/11/coldfusion_p1_security_update_july_2023

 

And Ravi, there some other matters I discuss there which could be easily rectified if someone could give them even just a little attention. As always, just trying to help.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 12, 2023 Jul 12, 2023

Copy link to clipboard

Copied

So just for clarification, if you run this update through the Admin UI, do you also need to update the JRE to the latest version for the updates to be effective on 2018 and 2021?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 12, 2023 Jul 12, 2023

Copy link to clipboard

Copied

If you run the update via the admin, the question of Java version is of no significance. That uses the Java that cf uses. 

 

But of course, there IS significance to keeping that Java (which cf uses) kept updated to the latest Java version supported by that Cf version. I have a table with that info that I keep updated here:

https://coldfusion.adobe.com/2021/01/table-of-java-to-cf-versions/

 

(I need to update it to add cf2023, which DOES support ONLY Java 17, while the others still do not.)


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 12, 2023 Jul 12, 2023

Copy link to clipboard

Copied

You've also not explained why this update does not include the "Hotfix and packages repository:" link that has been provided for all of the previous 6 ColdFusion 2021 Hotfixes.  At the minimum simply state that it is not necessary instead of leaving it out there to be assumed. Thanks.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 12, 2023 Jul 12, 2023

Copy link to clipboard

Copied

As of July 12, 2023 1:34 pm ET, here are some questions for Adobe team

 

1. what version of Java you recommend for CF 2018 from the below list that is available for download here https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#downloads3?

 

Also, Adobe says there is 1 year extra EOL support for CF 2018 till July 2024. What does that look like? No patches at all or help as needed by customers?

 

JAVA SE 11.0.19 (LTS)
JAVA SE 11.0.18 (LTS)
JAVA SE 11.0.17 (LTS)
JAVA SE 11.0.16.1 (LTS)
JAVA SE 11.0.16 (LTS)

 

2. Is this hotfix applicable to people who used the lockdown installer ONLY or others as well? If someone didnt use the lockdown installer, can you please explain what this hotfix is doing or affecting?

 

3. Like Charlie mentioned, these announcements can be better worded. I can help Adobe team and I am sure Charlie/Others can if He is provided some input before these are posted out which is causing more confusion than helping anyone.

 

Thanks,

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 14, 2023 Jul 14, 2023

Copy link to clipboard

Copied

@Saurav_Ghosh ,  RaviShankar or anyone from Adobe, can you please clarify on some of these questions ?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 13, 2023 Jul 13, 2023

Copy link to clipboard

Copied

Only the jar file is still available. The hotfix file is still missing. An MD5 hash is given, so there should be a file.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 14, 2023 Jul 14, 2023

Copy link to clipboard

Copied

Security Update 2 page has broken link for the security bulletin here:
https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-2.html

Can't see the details of the update.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 14, 2023 Jul 14, 2023

Copy link to clipboard

Copied

LATEST

As of July 14 Friday 4:08 pm ET, For folks who were following this discussion, another hotfix was just released by Adobe. I came to know as I finished patching a server and sure enough there was another hotfix waiting in the line. 🙂

 

ColdFusion (2018 release) Update 18 https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-18.html

 

The https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html link is broken as of right now. I am guessing they are actively working on it.

 

Thanks,

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation