NOW LIVE! Adobe ColdFusion 2023 and 2021 June 2024 security updates
Copy link to clipboard
Copied
Update (6/12):
- Minor edits in the default algorithm section.
- Added links to Docker images.
Update (6/13):
- CFFiddle is updated with the updates.
- Removed extra space in -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE
Update (6/21):
- Changed the checksum of the CF 2023 packages. Thank you @Legorol
We are pleased to announce that we have released security updates to ColdFusion (2023 release) Update 8 and ColdFusion (2021 release) Update 14.
This update includes several security fixes to ensure the safety and security of our systems. These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.
For more information, view the security bulletin, APSB24-41.
Where do I download the updates from
Download the updates from the following locations:
What do these updates contain
Change in default algorithm
- The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions.
- Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to revert the change. By default, the value is False,
- The flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.
CFdocument access control issues
We've introduced a new JVM flag: -Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.
However, in the next major release of ColdFusion, we WILL remove the flag.
Package updates
The following packages have been updated:
- document
- htmltopdf
- presentation
- report
Solr upgrade
If you manually upgraded Solr to version 8.11.2 using the instructions in Upgrade SOLR to mitigate security risks in ColdFusion, then after installing Update 8, SOLR will not downgrade to version 7.9.
For more information, view the following tech notes:
Are the Docker images available
The images are available on the Docker hub and ECR.
Please update your ColdFusion versions and provide us with your valuable feedback.
Copy link to clipboard
Copied
Thanks as always for the heads-up, Saurav. That said, readers here really MUST read the technote linked to above (for either CF2023 or 2021) for more detail, and to more fully understand what will happen on doing this update, including both the jvm config choice AND the more important practical steps to take to migrate any existing encrypted data (that you've encrypted with your CFML code) to use a new algorithm.
I've not had a chance to try this, but can anyone confirm/state explicitly that this has nothing to do with passwords encrypted by the CF Admin, such as its login, or passwords for datasources, scheduled tasks, and the like? I'm inclined to think it does not, or it would have said so. But I'm sure people will ask. (It's perhaps unfortunate that the technotes currently refer to "passwords" as the values people may neet to update. I suspect that's written under the preumption that people were encrypting their own user passwords, created with their own code, and thus again NOTHING to do with CF admin passwords.)
BTW, I would normally dig into this before even writing, but I'm in Germany as I speak, having just arrived early today for CFCamp this week. It's late as I see this, 7 hours ahead of my normal US Central time and I've been up all day--and the flight was all night getting here, so I'm out of steam to investigate tonight!
/Charlie (troubleshooter, carehart.org)
Copy link to clipboard
Copied
@Charlie Arehart As far as I know, none of the encrypted passwords in CFAdmin use CFMX_COMPAT. I can say with certainty admin login and RDS do not.
And - acknowledging the work to find and refactor impacted code – I’d applaud breaking changes with the end goal of a more secure default environment as a good thing (albeit a painful process). Vulnerable legacy code that runs on a fully-patched platform is still vulnerable code.
On the CFMX_COMPAT change specfically -- The new default algorithm of AES/CBC/PKCS5Padding is probably the best choice, but it’s now also very important for developers to check the integrity of any user-controlled ciphertext (for example, if it’s passed in a cookie or a URL parameter) with an HMAC or similar technique to avoid padding oracle vulnerabilities. Pardon the shameless self-linking 🙂 , but I’ve written about padding oracles and CFML previously for those who may want a little more detail - https://www.hoyahaxa.com/2023/07/on-coldfusion-aes-and-padding-oracle.html
Copy link to clipboard
Copied
Thanks, Brian (for that and the issue you raised that led to this change).
/Charlie (troubleshooter, carehart.org)
Copy link to clipboard
Copied
Haha - thanks Charlie, but I can't take credit for the CFMX_COMPAT change. That one wasn't me. 😄
Copy link to clipboard
Copied
Hi Saurav,
Could you give some clarification on the second bullet point under 'Change in default algorithm'?
- Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to make the change. By default, the value is False, if you need to use CFMX_COMPAT.
The setting name 'useCFMX_COMPATAsDefault' suggests that setting it to TRUE maintains current behaviour, whereas setting it to FALSE allows the new changes to take effect. Please could you confirm the behaviour for each value?
Best regards,
Mike.
Copy link to clipboard
Copied
@TheRealMC
The default encryption algorithm is no more CFMX_COMPAT.
If you want to use CFMX_COMPAT as default encryption algorithm, use -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE.
Copy link to clipboard
Copied
Many thanks for the confirmation.
Copy link to clipboard
Copied
Is there a way to set that CFMX_COMPAT flag as an application variable? I know this has been possible in the past with other Java flags.
I ask because we have a potential issue we need to look at but don't want to apply the flag server-wide while the team looks into the issue.
Copy link to clipboard
Copied
@sdsinc_pmascari
We don't have anyway to enable this behaviour at application level.
Copy link to clipboard
Copied
FYI, This might just be me, but after applying the update, Jetty/lib/ext folder was removed causing Solr to not load. I restored the folder and any .jar files. Restart service and Solr is working again.
Copy link to clipboard
Copied
Running ColdFusion 2021 on Windows
Copy link to clipboard
Copied
@christopherr89853116
Team will get back on this.
Copy link to clipboard
Copied
christopher, can you pls. share the hf install log and the hotfix-filechange log from the update. also the location of your solr installation on your host (if its installed with cf or as an addon service)
with me at pnayak@adobe.com
Copy link to clipboard
Copied
Done Thanks Piyush
Copy link to clipboard
Copied
I can confirm experiencing the same thing that Christopher reported, regarding Solr, at least on one of my machines. It was on CF2021 update 12 and I went to 14, and after that while the add-on service started and the "PDF service" would verify ok (in the CF Admin "PDF Service" page) , when I tried to visit the CF Admin "ColdFusion Collections" page, I got the error:
Unable to retrieve collections from the Search Services.
Ensure that you have installed ColdFusion Search Service and it is running.
I add that to help others who may get the error and come searching for that message (and perhaps it's what Christopher had first noted).
So I looked in the cfusion/jetty/logs folder and I could see in the stderrout.log (such as 2024_06_19.stderrout.log) that it did report an error on startup:
2024-06-19 09:08:54.633:WARN:oejw.WebAppContext:main: Failed startup of context o.e.j.w.WebAppContext@6ebf0f36{solr,/solr,file:///D:/ColdFusion2021/cfusion/jetty/work/jetty-0_0_0_0-8993-solr_war-_solr-any-/webapp/,UNAVAILABLE}{D:\ColdFusion2021\cfusion\jetty\webapps\solr.war}
java.lang.NoClassDefFoundError: Failed to initialize Apache Solr: Could not find necessary SLF4j logging jars. If using Jetty, the SLF4j logging jars need to go in the jetty lib/ext directory. For other containers, the corresponding directory should be used. For more information, see: http://wiki.apache.org/solr/SolrLogging
at org.apache.solr.servlet.CheckLoggingConfiguration.check(CheckLoggingConfiguration.java:27)
at org.apache.solr.servlet.BaseSolrFilter.<clinit>(BaseSolrFilter.java:30)
...
As Christopher noted, once I restored the jetty/lib/ext folder, and restarted the addon service, then the Collections page worked (and the stderrout log in the jetty/logs folder no longer reported that error above).
For those not aware, you can find the needed jetty/lib/ext folder in the backup folder created during the update, such as \ColdFusion2021\cfusion\hf-updates\hf-2021-00014-330296\backup\jetty\lib.
To be clear, on a machine where I had been running update 13 before applying update 14, I can confirm that update 13 had NOT removed that jetty/lib/ext folder, so it seems clearly update 14 that does this. But to add a twist, on that machine (where I went to update 14 from 13, instead of from 12), I did NOT find that the cfusion/jetty/lib/ext folder had been removed. So it may be that this only happens when going to update 14 from 12 or earlier.
Hope that info may help readers and Adobe as they seek to address this.
/Charlie (troubleshooter, carehart.org)
Copy link to clipboard
Copied
Thanks Charlie for verifying. I experienced this issue on 3 servers, all ColdFusion 2021 cluster instances going from Update 13 to 14. Currently working with PiyushN to troubleshoot.
Also, the update article discussing changes to Solr upgrade, I believe only apply to ColdFusion 2023. That was a bit confusing on determine if Solr was updated or not and for which version ColdFusion 2021 or 2023.
Copy link to clipboard
Copied
Understood on all points. Please keep us posted.
/Charlie (troubleshooter, carehart.org)
Copy link to clipboard
Copied
I've tried to install this twice now, and cannot load the cf admin page once the process is done. I receive the following exception in the coldfusion-error.log and a 500 error in the web browser. I'm running ColdFusion 2021 on Windows and upgrading from patch 13. I've tried this on both JDK 11.0.10 (old I know, but that is what I am currently running) and 11.0.23 and receive the same error.
Jun 12, 2024 1:29:18 PM org.apache.catalina.core.ApplicationContext log
INFO: failed to load: coldfusion.CfmServlet
Jun 12, 2024 1:29:18 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Allocate exception for servlet [CfmServlet]
java.lang.NullPointerException
at coldfusion.CfmServlet.init(CfmServlet.java:99)
at coldfusion.bootstrap.ClassloaderHelper.initServletClass(ClassloaderHelper.java:137)
at coldfusion.bootstrap.BootstrapServlet.init(BootstrapServlet.java:111)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1106)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1063)
at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:747)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:116)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Copy link to clipboard
Copied
@MarkAtCU Can you please check the update installation logs for any errors?
Location : <cfhome>/hf-updates\hf-2021-00014-330296
Copy link to clipboard
Copied
@hannah18Yes, there were errors (more details below):
336 Successes
1 Warnings
2 NonFatalErrors
4 FatalErrors
However, I just discovered that JVM 11.0.23 throws additional errors with my site even before the update. And, I discovered that in my haste yesterday, I never did actually update using the JVM 11.0.10. I reverted everything back to start fresh (on my test server) and was able to successfully install Update 14 on JVM 11.0.10.
The errors seem to center around the hotfix temp files. I had all the processes stopped, but received 4 of these errors:
Failed to copy hotfix files:[path]\392038.tmp\dist\updates: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.
Failed to copy hotfix files:[path]\392038.tmp\dist\updates
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:[path]\cfusion\lib\updates
FATAL ERROR - [path]\392038.tmp\dist\updates (The system cannot find the file specified)
Copy link to clipboard
Copied
Good to know that your issue has been resolved with JDK 11.0.10. We will further investigate this internally with JDK 11.0.23
Copy link to clipboard
Copied
Not sure if others are seeing this. In my dev environment, after the update, setting -Dcoldfusion.encryption.useCFMX_COMPATAsDefault =TRUE causes the CF instance to fail to load
coldfusion-out.log:
Jun 13, 2024 10:48:45 AM Information [main] - ColdFusion: application services are now available
Jun 13, 2024 10:48:46 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:48:46 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:54:46 AM Information [Thread-24] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [FelixStartLevel] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [Thread-24] - ColdFusion stopped
Server log:
Jun 13, 2024 10:48:45 AM Information [main] - ColdFusion: application services are now available
Jun 13, 2024 10:48:46 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:48:46 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:54:46 AM Information [Thread-24] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [FelixStartLevel] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [Thread-24] - ColdFusion stopped
Copy link to clipboard
Copied
Problem solved! The note above has a space in front of the = sign. Taking that out worked.
Copy link to clipboard
Copied
Yep, Charles. Glad you sorted it. I was about to tell you, when I saw you'd responded already.
And everyone (including Adobe): please note that the problem is not only in Saurav's post here but also in both the technotes. Please get that changed, before more people suffer for this. (Someone had informed me earlier about it. I was actually looking for that, as well as confirming it myself, and checking out those technotes, which is why I didn't reply sooner. Whoever that was, let me know again. I'll add a note about this on my blog post as well, and I'd like to give credit.)
/Charlie (troubleshooter, carehart.org)