NOW LIVE! Adobe ColdFusion 2023 and 2021 June 2024 security updates

Report · Jun 11, 2024

Update (6/12):

Minor edits in the default algorithm section.
Added links to Docker images.

Update (6/13):

CFFiddle is updated with the updates.
Removed extra space in -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE

Update (6/21):

Changed the checksum of the CF 2023 packages. Thank you @Legorol

We are pleased to announce that we have released security updates to ColdFusion (2023 release) Update 8 and ColdFusion (2021 release) Update 14.

This update includes several security fixes to ensure the safety and security of our systems. These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.

For more information, view the security bulletin, APSB24-41.

Where do I download the updates from

Download the updates from the following locations:

What do these updates contain

Change in default algorithm

The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions.
Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to revert the change. By default, the value is False,
The flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.

CFdocument access control issues

We've introduced a new JVM flag: -Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.

However, in the next major release of ColdFusion, we WILL remove the flag.

Package updates

The following packages have been updated:

document
htmltopdf
presentation
pdf
print
report

Solr upgrade

If you manually upgraded Solr to version 8.11.2 using the instructions in Upgrade SOLR to mitigate security risks in ColdFusion, then after installing Update 8, SOLR will not downgrade to version 7.9.

For more information, view the following tech notes:

Are the Docker images available

The images are available on the Docker hub and ECR.

Please update your ColdFusion versions and provide us with your valuable feedback.

Report · Jun 11, 2024

Thanks as always for the heads-up, Saurav. That said, readers here really MUST read the technote linked to above (for either CF2023 or 2021) for more detail, and to more fully understand what will happen on doing this update, including both the jvm config choice AND the more important practical steps to take to migrate any existing encrypted data (that you've encrypted with your CFML code) to use a new algorithm.

I've not had a chance to try this, but can anyone confirm/state explicitly that this has nothing to do with passwords encrypted by the CF Admin, such as its login, or passwords for datasources, scheduled tasks, and the like? I'm inclined to think it does not, or it would have said so. But I'm sure people will ask. (It's perhaps unfortunate that the technotes currently refer to "passwords" as the values people may neet to update. I suspect that's written under the preumption that people were encrypting their own user passwords, created with their own code, and thus again NOTHING to do with CF admin passwords.)

BTW, I would normally dig into this before even writing, but I'm in Germany as I speak, having just arrived early today for CFCamp this week. It's late as I see this, 7 hours ahead of my normal US Central time and I've been up all day--and the flight was all night getting here, so I'm out of steam to investigate tonight!

/Charlie (troubleshooter, carehart.org)

Report · Jun 11, 2024

@Charlie Arehart As far as I know, none of the encrypted passwords in CFAdmin use CFMX_COMPAT. I can say with certainty admin login and RDS do not.

And - acknowledging the work to find and refactor impacted code – I’d applaud breaking changes with the end goal of a more secure default environment as a good thing (albeit a painful process). Vulnerable legacy code that runs on a fully-patched platform is still vulnerable code.

On the CFMX_COMPAT change specfically -- The new default algorithm of AES/CBC/PKCS5Padding is probably the best choice, but it’s now also very important for developers to check the integrity of any user-controlled ciphertext (for example, if it’s passed in a cookie or a URL parameter) with an HMAC or similar technique to avoid padding oracle vulnerabilities. Pardon the shameless self-linking 🙂 , but I’ve written about padding oracles and CFML previously for those who may want a little more detail - https://www.hoyahaxa.com/2023/07/on-coldfusion-aes-and-padding-oracle.html

Report · Jun 13, 2024

Thanks, Brian (for that and the issue you raised that led to this change).

/Charlie (troubleshooter, carehart.org)

Report · Jun 13, 2024

Haha - thanks Charlie, but I can't take credit for the CFMX_COMPAT change. That one wasn't me. 😄

Report · Jun 11, 2024

Hi Saurav,

Could you give some clarification on the second bullet point under 'Change in default algorithm'?

Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to make the change. By default, the value is False, if you need to use CFMX_COMPAT.

The setting name 'useCFMX_COMPATAsDefault' suggests that setting it to TRUE maintains current behaviour, whereas setting it to FALSE allows the new changes to take effect. Please could you confirm the behaviour for each value?

Best regards,

Mike.

Report · Jun 11, 2024

@TheRealMC
The default encryption algorithm is no more CFMX_COMPAT.
If you want to use CFMX_COMPAT as default encryption algorithm, use -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE.

Report · Jun 12, 2024

Many thanks for the confirmation.

Report · Jun 12, 2024

Is there a way to set that CFMX_COMPAT flag as an application variable? I know this has been possible in the past with other Java flags.

I ask because we have a potential issue we need to look at but don't want to apply the flag server-wide while the team looks into the issue.

Report · Jun 12, 2024

@sdsinc_pmascari
We don't have anyway to enable this behaviour at application level.

Report · Jun 12, 2024

FYI, This might just be me, but after applying the update, Jetty/lib/ext folder was removed causing Solr to not load. I restored the folder and any .jar files. Restart service and Solr is working again.

Report · Jun 12, 2024

Running ColdFusion 2021 on Windows

Report · Jun 12, 2024

@christopherr89853116
Team will get back on this.

Report · Jun 19, 2024

christopher, can you pls. share the hf install log and the hotfix-filechange log from the update. also the location of your solr installation on your host (if its installed with cf or as an addon service)

with me at pnayak@adobe.com

Report · Jun 19, 2024

Done Thanks Piyush

Report · Jun 19, 2024

I can confirm experiencing the same thing that Christopher reported, regarding Solr, at least on one of my machines. It was on CF2021 update 12 and I went to 14, and after that while the add-on service started and the "PDF service" would verify ok (in the CF Admin "PDF Service" page) , when I tried to visit the CF Admin "ColdFusion Collections" page, I got the error:

Unable to retrieve collections from the Search Services.
Ensure that you have installed ColdFusion Search Service and it is running.

I add that to help others who may get the error and come searching for that message (and perhaps it's what Christopher had first noted).

So I looked in the cfusion/jetty/logs folder and I could see in the stderrout.log (such as 2024_06_19.stderrout.log) that it did report an error on startup:

2024-06-19 09:08:54.633:WARN:oejw.WebAppContext:main: Failed startup of context o.e.j.w.WebAppContext@6ebf0f36{solr,/solr,file:///D:/ColdFusion2021/cfusion/jetty/work/jetty-0_0_0_0-8993-solr_war-_solr-any-/webapp/,UNAVAILABLE}{D:\ColdFusion2021\cfusion\jetty\webapps\solr.war}
java.lang.NoClassDefFoundError: Failed to initialize Apache Solr: Could not find necessary SLF4j logging jars. If using Jetty, the SLF4j logging jars need to go in the jetty lib/ext directory. For other containers, the corresponding directory should be used. For more information, see: http://wiki.apache.org/solr/SolrLogging
	at org.apache.solr.servlet.CheckLoggingConfiguration.check(CheckLoggingConfiguration.java:27)
	at org.apache.solr.servlet.BaseSolrFilter.<clinit>(BaseSolrFilter.java:30)
...

As Christopher noted, once I restored the jetty/lib/ext folder, and restarted the addon service, then the Collections page worked (and the stderrout log in the jetty/logs folder no longer reported that error above).

For those not aware, you can find the needed jetty/lib/ext folder in the backup folder created during the update, such as \ColdFusion2021\cfusion\hf-updates\hf-2021-00014-330296\backup\jetty\lib.

To be clear, on a machine where I had been running update 13 before applying update 14, I can confirm that update 13 had NOT removed that jetty/lib/ext folder, so it seems clearly update 14 that does this. But to add a twist, on that machine (where I went to update 14 from 13, instead of from 12), I did NOT find that the cfusion/jetty/lib/ext folder had been removed. So it may be that this only happens when going to update 14 from 12 or earlier.

Hope that info may help readers and Adobe as they seek to address this.

/Charlie (troubleshooter, carehart.org)

Report · Jun 20, 2024

Thanks Charlie for verifying. I experienced this issue on 3 servers, all ColdFusion 2021 cluster instances going from Update 13 to 14. Currently working with PiyushN to troubleshoot.

Also, the update article discussing changes to Solr upgrade, I believe only apply to ColdFusion 2023. That was a bit confusing on determine if Solr was updated or not and for which version ColdFusion 2021 or 2023.

Report · Jun 20, 2024

Understood on all points. Please keep us posted.

/Charlie (troubleshooter, carehart.org)

Report · Jun 12, 2024

I've tried to install this twice now, and cannot load the cf admin page once the process is done. I receive the following exception in the coldfusion-error.log and a 500 error in the web browser. I'm running ColdFusion 2021 on Windows and upgrading from patch 13. I've tried this on both JDK 11.0.10 (old I know, but that is what I am currently running) and 11.0.23 and receive the same error.

Jun 12, 2024 1:29:18 PM org.apache.catalina.core.ApplicationContext log
INFO: failed to load: coldfusion.CfmServlet
Jun 12, 2024 1:29:18 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Allocate exception for servlet [CfmServlet]
java.lang.NullPointerException
	at coldfusion.CfmServlet.init(CfmServlet.java:99)
	at coldfusion.bootstrap.ClassloaderHelper.initServletClass(ClassloaderHelper.java:137)
	at coldfusion.bootstrap.BootstrapServlet.init(BootstrapServlet.java:111)
	at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1106)
	at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1063)
	at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:747)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:116)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:355)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:834)

Report · Jun 12, 2024

@MarkAtCU Can you please check the update installation logs for any errors?

Location : <cfhome>/hf-updates\hf-2021-00014-330296

Report · Jun 13, 2024

@hannah18Yes, there were errors (more details below):

336 Successes
1 Warnings
2 NonFatalErrors
4 FatalErrors

However, I just discovered that JVM 11.0.23 throws additional errors with my site even before the update. And, I discovered that in my haste yesterday, I never did actually update using the JVM 11.0.10. I reverted everything back to start fresh (on my test server) and was able to successfully install Update 14 on JVM 11.0.10.

The errors seem to center around the hotfix temp files. I had all the processes stopped, but received 4 of these errors:

Failed to copy hotfix files:[path]\392038.tmp\dist\updates: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

Failed to copy hotfix files:[path]\392038.tmp\dist\updates
Status: FATAL ERROR
Additional Notes: FATAL ERROR - Failed to copy the hotfix files to the target location:[path]\cfusion\lib\updates
FATAL ERROR - [path]\392038.tmp\dist\updates (The system cannot find the file specified)

Report · Jun 19, 2024

Good to know that your issue has been resolved with JDK 11.0.10. We will further investigate this internally with JDK 11.0.23

Report · Jun 13, 2024

Not sure if others are seeing this. In my dev environment, after the update, setting -Dcoldfusion.encryption.useCFMX_COMPATAsDefault =TRUE causes the CF instance to fail to load

coldfusion-out.log:

Jun 13, 2024 10:48:45 AM Information [main] - ColdFusion: application services are now available
Jun 13, 2024 10:48:46 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:48:46 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:54:46 AM Information [Thread-24] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [FelixStartLevel] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [Thread-24] - ColdFusion stopped

Server log:

Jun 13, 2024 10:48:45 AM Information [main] - ColdFusion: application services are now available
Jun 13, 2024 10:48:46 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:48:46 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/BoxesDev/lib/bundleaxis/wstx-asl-3.2.9.jar!/
Jun 13, 2024 10:54:46 AM Information [Thread-24] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [FelixStartLevel] - Monitoring Service stopped.
Jun 13, 2024 10:54:46 AM Information [Thread-24] - ColdFusion stopped

Report · Jun 13, 2024

Problem solved! The note above has a space in front of the = sign. Taking that out worked.

Report · Jun 13, 2024

Yep, Charles. Glad you sorted it. I was about to tell you, when I saw you'd responded already.

And everyone (including Adobe): please note that the problem is not only in Saurav's post here but also in both the technotes. Please get that changed, before more people suffer for this. (Someone had informed me earlier about it. I was actually looking for that, as well as confirming it myself, and checking out those technotes, which is why I didn't reply sooner. Whoever that was, let me know again. I'll add a note about this on my blog post as well, and I'd like to give credit.)

/Charlie (troubleshooter, carehart.org)