neotranslator compiler

Report · Jul 25, 2024

We have a 2018 CF server that cannot be updated. There are some legacy app that do not lend themselves to that. We would like to disable the neotranslator compiler but cannot find any documention on doing so. Any assistance would be appreciated.

Report · Jul 25, 2024

While you await an answer on that question (which I've actually never heard before), can you share one or two of the things that make you unable to upgrade? I'm sure many would find that helpful.

...or maybe there's a way to overcome those, to allow you to get off that Cf version--which is no longer updated by Adobe. (The security risks alone would seem a strong driver to overcome those challenges.)

BTW, if the COST of upgrading to cf2023 might be an issue (because Adobe only offers a discount price for those who are now on cf2021), some great news is that there's a special offer of a 25% discount for those on cf2018 and earlier, available now through Sept. More at a post I offered:

https://www.carehart.org/blog/client/index.cfm/2024/7/8/limited_time_upgrade_discount_to_CF2023_from...

Let's see if anyone has more on your specific question, but I really hope you'll share what compatibility issue seems to be precluding your upgrade.

/Charlie (troubleshooter, carehart.org)

Report · Jul 25, 2024

As for the question there is a critical flaw, cve-2023-26360 that would have been patched by the latest 2018 patch. Since we could not apply that, the other option given was to disable the compiler.

As for the inability to upgrade... I made a couple attempts going from 2 to 6, 6 being a safe place to then move to current but the update kept failing and had to be rolled back several times. The reason for sticking with 2018 at this point is that there are some customers on a legacy business system. The business system provider provided a connector of sorts that could be called out of the Sun libraries to return data.

When we moved to 2018 from an older version much of the web code had to be re-written because of syntax and reserved word usage but the significant part was getting the provider to give us an updated connector.

We do have a fully patched CF2021 box and may have to bite the bullet and move the sites as a last resort. The 2018 machine is still running fine and scrapping it at 6 yrs old is not always an option for a small business.

Thanks for your response. May have to look into the discount pricing mentioned.

Report · Jul 26, 2024

As for the question there is a critical flaw, cve-2023-26360 that would have been patched by the latest 2018 patch. Since we could not apply that, the other option given was to disable the compiler.

By @sf-support

I don't think you have to go to the extent of messing around with compilers. Just apply Update 16 of ColdFusion 2018, which fixes CVE-2023-26360. Get Update 16 of CF 2018. In fact, you could just apply the latest update, as ColdFusion updates are generally cumulative.

Report · Jul 28, 2024

+1 to Charlie and BKBK's comments that the effort to move to a supported platform is going to be worth it for the security benefits alone. That's the best path forward.

With that said ... Some of the original technical analysis of CVE-2023-26360 mentions the NeoTranslator compiler as being a component used during exploitation. And at least one source mentions disabling the NeoTranslator compiler as an alternate workaround if you're unable to patch -- without giving specific details -- but does offer the caveat that "it will also prevent you from using some features of ColdFusion." The NeoTranslator compiler is used to convert CFML source into Java classes -- which is a pretty core part of the ColdFusion engine functionality. I'm unaware of any supported/official way to "disable the NeoTranslator compiler". There could be some hacky ways to do it (I have no idea what would work or if it would be effective security control) -- but then you'd also need to find a way to convert your legitimate CFML source into Java classes. Maybe you could pre-compile your code, but it just all seems like a convoluted path.

If your host is vulnerable to CVE-2023-26360, it's also vulnerable to Critical vulnerability CVE-2023-26359 (and subsequent variants CVE-2023-29300, CVE-2023-38203, CVE-2023-38204, and CVE-2023-44353) -- as well as other ColdFusion security patches that have only been released for CF2021 and 2023 (but also mpact <= CF2018).

There are a number of things you can do to lockdown a ColdFusion system if you're really unable to patch, but that choice will come with a significant amount of accepted risk. I will say that blocking remote HTTP/HTTPS access to *.cfc files (which will break/block access to all remote CFC components) will break exploitation of many recent critical ColdFusion vulnerabilities.

Report · Jul 29, 2024

Thanks to you both for your replies. It seems that I will have to launch into trying to update the patch level on that box. As an add-on question... the box is a patch 2. Is there a "best" level to try and move to first? I hae had to roll back an update twice so maybe I was just going to the wrong level and have to do it in stages.

Report · Jul 29, 2024

The patience of this forum has been great. I ask for your indulgence... I have looked over the 2018 server and noted

the reason the auto updater presumably does not work is the following error: "CFADMIN","Error: Element CFHF_BUILDNUMBER.XMLTEXT is undefined in INSTALLUPDATE A web search did not seem to point to any possible fix. Any suggestions?

Report · Jul 29, 2024

CFHF_BUILDNUMBER is an element within an XML file that ColdFusion uses during the installation process. See, for example

https://www.google.com/search?q=%22CFHF_BUILDNUMBER%22

https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml

The error message suggests that the XML file contains no build-number for a ColdFusion update performed via the ColdFusion Administrator. That implies the update attempt was likely incomplete.

I would suggest you do the following:

Roll back whatever update you had just installed via the Administrator.
Restart ColdFusion.
Do the update manually instead.

Report · Jul 29, 2024

Yikes. The only update was to 2 that occured in 2019 as far as I can see. Nothing more recent.

Report · Jul 29, 2024

I had assumed the CFHF_BUILDNUMBER error occurred when you attempted to install a recent update. Your last post sheds new light on the matter.

Given your last post, I would suggest you:

Install Update 4, and then install Update 19.

Report · Jul 30, 2024

Thanks for all of the suggestions. I will begin the manual upgrade of 4 to 19. In the meantime, I have verified that the exploit was marked as critical in the ips rulebase. We are monitoring that rulebase and are dropping any connections that match the footprint. I think the post can be closed.

Report · Jul 29, 2024

@sf-support , it is indeed a good idea to patch things up if, for whatever reason, you have to stay on ColdFusion 2018. As before, I would suggest you install the latest CF 2018 update, which is Update 19. I suggest this because ColdFusion updates are generally cumulative. Therefore, Update 19 includes Update 16, which fixes CVE-2023-26360.

Now, on to your question about the prerequisites for updates. You will find that information - for each update - on the ColdFusion 2018 updates site. Once there, click on the "this article" link for the relevant update. In this case, Update 19. The link will take you to the installation instructions for ColdFusion 2018 Update 19.

The instructions tell you that Update 4 is a prerequisite for Update 19. So, to start with, return to the ColdFusion 2018 updates page and install Update 4. Remember to follow the installation instructions.

After successfully installing Uodate 4, proceed with installing Update 19.

Adobe Community

neotranslator compiler

1 Correct answer