NOW LIVE! Adobe ColdFusion 2023 and 2021 December 2024 security updates

Report · Dec 23, 2024

We have released critical security updates for ColdFusion (2023 release) and ColdFusion (2021 release).

Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read.

View the security bulletin, APSB24-107, and the tech notes for more information.

Where do I download the updates from

Download the updates from the following locations:

For more information, view the following tech notes:

Known issues in the updates

When Update 12 of ColdFusion (2023 release) or Update 18 of ColdFusion (2021 release) is installed on JEE deployments, an error message might appear in certain cases upon attempting to view the Settings Summary page in ColdFusion Administrator.
If you encounter an issue while applying Update 12 on the ColdFusion (2023 release) cloud images, contact cfsup@adobe.com for a resolution.

Are the Docker images available

The images are available on the Docker hub and ECR.

Is CFFiddle updated with the changes

CFFiddle is updated with the changes.

Please update your ColdFusion versions and provide your valuable feedback.

Report · Dec 23, 2024

Merry Christmas to us. Nothing like security updates at the holiday season, and a "critical" one at that. (Folks will see that the APSB link classifies it as both "critical" severity and "priority 1".) Time will tell what the issue is and how it might be exploited.

Folks running CF on cloud servers REALLY need to heed that closing comment offered above: "If you encounter an issue while applying Update 12 on the ColdFusion (2023 release) cloud images, contact cfsup@adobe.com for a resolution." There was a need with the prior updates for those running the Amazon and Azure AMI's to apply a special hotfix that Adobe would provide on request. Seems perhaps this is hinting that may (or will) happen again here. Just a little bow on this present.

Bah humbug. Let's just hope the "ghost of Christmas past" doesn't make this as painful as Dec 2021's log4j pandemic (if I can bend the metaphor). That one sparked worldwide fear in IT orgs, and though thankfully CF really showed never to be affected, it ruined many a holiday that year.

/Charlie (troubleshooter, carehart.org)

Report · Dec 23, 2024

@Charlie Arehart Log4j was a nightmare, this is not going to be an issue for the users. I suggest all users reading this comment to thoroughly review the article before applying the update. We are here to help and ensure that this will go smooth.

Thanks,
Priyank Shrivastava

Report · Dec 23, 2024

I appreciate that you're saying this should not be as painful as the log4j issue was (and certainly not as wide a scope). And I was suggesting the same, but I realize my words saying "let's hope it's not" could be read either way.

That said, some might misinterpret your words, "this is not going to be an issue for the users". I suppose you mean "this issue has nothing to do with log4j" (and I didn't mean to suggest it may).

But by referring to "the users", it's not clear what you mean. You may be trying to limit somehow who should expect to be affected by the vulnerability...but I know that's always a dicey proposition and that you guys tend to remain close-lipped about stating anything but the minimum facts. If you may like to clarify that point, I'm sure some may appreciate it.

And sure, of course "all users" should "thoroughly review the article" (the technote, and the APDB, and Saurav's post above). I definitely wasn't discouraging that at all. And speaking of that, I find info now in the technote regarding the PMT which raises some confusion. I'll offer that in a new reply here.

/Charlie (troubleshooter, carehart.org)

Report · Dec 23, 2024

Hi Charlie,

When I say "users" I mean the customers who manage the server, not the end user who uses the application. Server Admins should review the article before applying the update.

Thanks,
Priyank Shrivastava

Report · Dec 23, 2024

Did this vulnerability simply require the PMT package to be installed or if the PMT had to be installed and running to be vulnerable to this CVE?

Report · Dec 23, 2024

@neochuck if you are not using PMT, then no need to install PMT. You can uninstall the pmtagent module from CF Admin. For more details, please check the article

Thanks,
Priyank Shrivastava

Report · Dec 23, 2024

I am sorry but that didn't answer my question.

Did simply having the PMT module installed open up CF 2023 and CF 2021 to this vulnerability or did you have to have the PMT module installed AND have PMT configured and running?

Report · Dec 23, 2024

Hi @neochuck

If you simply have PMT module installed, that could make you vulnerable. You need not have PMT installed or configured. Kindly refer to the FAQ section in the technote:

https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-12.html

Report · Dec 23, 2024

I see on closer inspection of the technotes (for the updates of either 2023 or 2021) that those make a seemingly important clarification which is not made above at all: the sentence above, says "Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read".

The technotes instead say that this update, "resolves a critical vulnerability that could lead to arbitrary file system read, if the pmtagent package is installed on your ColdFusion server." That's an important distinction.

For those not aware, the pmt is the Performance Monitoring Toolset, which was introduced in CF2018 as an option (for all CF editions, Standard and Enterprise). It's a separately installed service (whether installed on the same machine as CF or another.) And CF2021 and above offer a "pmtagent" module/package as one of the few dozen optional packages.

And whether you ever implemented the PMT service itself (on the same machine or another), what matters for this update is simply whether you have the PMTAgent module installed--even if you may not be using the PMT (may not have the PMT monitoring your CF instance). The update includes an update to that module.

Even if you may think "we don't use the PMT" or "we never added the pmtagent package", you may. Note that the full/gui installer of CF does implement all packages by default. Same with the zip installer, if you told its cfinstall script to install all. Similarly, one could click "install all" in the CF Admin (to install all packages), or one could run the cfpm script and tell it to install all. So really, you just need to check your package manager page of the CF Admin (or user cfpm list) to know if you do have the pmtagent installed.

The technotes do go on to offer several questions and answers to help folks try to decide if this applies to them. (And one of those also clarifies that if you DO use the PMT and apply the update, but only later realize your PMT service was not running at the time of the CF update, you just need to start the PMT and then restart CF.)

I will say, finally, that there seems potential for confusion in the update technotes' discussion of "the uuid" (also in the other new technote they point to). By just referring to "the uuid" some readers will misconstrue that this has something to do with CF's uuid feature (set in the CF Admin and affecting various aspects of code and cookies).

But instead the discussion is SPECIFICALLY about "the UUID" that's used for communication between CF and the PMT. That other technote. makes that more clear if one keeps reading. But again the update technotes and the top of this other technote could be made more clear from the outset that this uuid discussion is indeed limited to the uuid used for communication between CF and the PMT.

/Charlie (troubleshooter, carehart.org)

Report · Dec 23, 2024

FWIW, I was writing that comment before seeing neochuck's comment.

/Charlie (troubleshooter, carehart.org)

Report · Dec 23, 2024

The article FAQ section was updated after I had read it to include that information about simply having the PMT package would make one vulnerable.

Report · Dec 23, 2024

As others have already mentioned, there's a lot of good information in the Tech Notes/FAQ. I've written up some initial thoughts and analysis on the vulnerability, along with additional recommendations and potential controls - https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html

Report · Dec 23, 2024

Thanks so much for that work you do, Brian!

/Charlie (troubleshooter, carehart.org)

Report · Dec 24, 2024

Well researched.

Report · Dec 24, 2024

Thank you Satyam! A high compliment!

Report · Dec 23, 2024

I've now added a blog post announcing the update as well, pointing to this and other Adobe resources, as well as Brian's blog and Pete Freitag's (I was waiting before posting to see how things shook out in various discussions here and such other possible resources first.)

But something I discuss there which I've not yet seen anyone else discuss is the matter of "what about those still running CF2018"? Since that's when the PMT was introduced, I would assume this vulnerability impacts them as well. Of course, since CF2018 support ended in July 2023, Adobe won't provide an update for CF2018--nor have they mentioned it in the resources above (and perhaps they will only want to reply to this restating that indeed they "don't support it".)

But something I mention there (along with a strong encouragement to get off that version, of course) is that at least those folks should also remove the pmtagent, certainly if they are not using the PMT...and even if they are, this is a strong argument to do it and stop using that PMT (which is still another another reason to get to a supported CF version).

/Charlie (troubleshooter, carehart.org)