NOW LIVE! Adobe ColdFusion 2023 and 2021 June 2024 security updates

Report · Jun 11, 2024

Update (6/12):

Minor edits in the default algorithm section.
Added links to Docker images.

Update (6/13):

CFFiddle is updated with the updates.
Removed extra space in -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE

Update (6/21):

Changed the checksum of the CF 2023 packages. Thank you @Legorol

We are pleased to announce that we have released security updates to ColdFusion (2023 release) Update 8 and ColdFusion (2021 release) Update 14.

This update includes several security fixes to ensure the safety and security of our systems. These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.

For more information, view the security bulletin, APSB24-41.

Where do I download the updates from

Download the updates from the following locations:

What do these updates contain

Change in default algorithm

The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions.
Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to revert the change. By default, the value is False,
The flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.

CFdocument access control issues

We've introduced a new JVM flag: -Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.

However, in the next major release of ColdFusion, we WILL remove the flag.

Package updates

The following packages have been updated:

document
htmltopdf
presentation
pdf
print
report

Solr upgrade

If you manually upgraded Solr to version 8.11.2 using the instructions in Upgrade SOLR to mitigate security risks in ColdFusion, then after installing Update 8, SOLR will not downgrade to version 7.9.

For more information, view the following tech notes:

Are the Docker images available

The images are available on the Docker hub and ECR.

Please update your ColdFusion versions and provide us with your valuable feedback.

Report · Jul 29, 2024

Greetings,

After applying update 8 to CF2023, connection to one of my Oracle datasources returns following error:

Error Executing Database Query. [DataDirect][Oracle JDBC Driver]arraycopy: destination index -1 out of bounds for byte[128].

Looks like issue is connected to changing default encryption value. Adding -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to JVM arguments fixed that issue.

Interesting that I have a few oracle datasources (different servers) and the error happened only on one of those.

I hope that helps to those that expirience the same issue.

Regards,

Simon

UC Berkeley

Report · Jul 29, 2024

Greetings,

It turned out that the error was intermittent and adding a JVM argument didn't resolve that issue. I was too fast to report success.

For now the only info is that we didn't have that issue before update 8 to CF2023. We have a CF2023 environment without an update 8 and no issue.

I wonder if anybody experiences a similar issue with CF2023 update 8 or have any suggestions.

Regards,

Simon

UC Berkeley

Report · Jul 29, 2024

Simon, I'm not aware of anyone else having that issue (though they may, of course). But I'll offer some thoughts/questions:

Is it really that the failure is only when you USE the DSN? Or also when you might try to VERIFY it within the cf admin? That could be a helpful diagnostic point.
If you know the cf dsn password and enter it, does it work then? I realize you won't want to do that as a workaround if you have many--or if you don't KNOW the passwords. But if they are few and you DO, it could at least get you back to operational. Let us know if you try.

If you can't or won't do that, or want to press on for the sake of others, tell us also :

what Java version cf reports using in the cf admin (settings summary page. Please don't trust your recollection, expectation, nor report alone what's indicated in the cf admin jvm pages Java home value)
And what oracle version is in use for the failing dsns?
And if any "work", what is their version?
Finally, if some dsn works and the doesn't work, that would be important to hear and for us to try to understand.

Or maybe someone else will have a different suggestion for you.

/Charlie (troubleshooter, carehart.org)

Report · Jul 29, 2024

Charlie,

It turned out to be coincidence of events. Our DBAs updated Oracle DB over the weekend and I also applied CF update 8 over the weekend. That Oracle update created very nasty intermitent issue with DB connection, not the CF update.

It is actually described in other Adobe post. See - https://community.adobe.com/t5/coldfusion-discussions/how-to-fix-the-arraycopy-out-of-bound-error/m-...

I hope I actually managed to resolve that by downloading Oracle JDBC driver ojdbc11.jar and succesfully adding datasource connection as Other. Not sure what other issues may that driver to cause (probably not certified with CF2023), but it resoved connection error.