NOW LIVE! Adobe ColdFusion 2023 and 2021 March 2024 security updates

Thank you, Charlie. We wanted to add more context to the change.

@Sergei L. This is the correct checksum - 2b0f5588a81851f1e7bf874dd60bae8e

We are getting this updated in ColdFusion (2023 release) Updates

@megha1997 Thank you.  Anther question: hotfix-packages-cf2023-007-330663.zip contains updateinstallers/hotfix-007-330658.jar.  Is that intentional or should it have been replaced with the latest 007-330663. jar?

This is not intentional. It is being corrected to have the correct jar (007-330663.jar). Thanks for pointing this out

Devscreen, your cfparam will still work: you simply need to use name="url.step", which is also beneficial to anyone viewing your code. Of course, subsequent references to step need also to be changed to url.step, but if you're already doing that I'm saying this one cfparam line is all that needs to change, not your logic. 

Thanks Charlie.  I will definitely look into using name="url.step".

@DevScreen Yes. The application.cfc workaround will continue to work with the next release.

Thank you!

slysenko, while you await an answer from Adobe, let me note that adding that jvm arg will NOT "make code not compatible with future CF versions". You've misread things (but you're not alone).

It's that the arg will not DO ANYTHING in the next release.. It will be ignored. The change of searchimplicitscopes defaulting to false will remain, but you will not be able to use this jvm arg to override that.

You WILL still be able to use the application level configuration of searchimplicitscopes to control any individual app. 

And as for the note saying that setting true for either is discouraged (a note newly added by them overnight), that's telling folks that the whole point of the change is to prevent code (using unscoped variables) from finding resolution (implicitly searching) unexpectedly in those scopes which are now also listed in the technote (or in my comment here yesterday).

So yes, people CAN use either approach to change the default TO ALLOW that implicit searching, but they SHOULD NOT, for the sake of security. They should INSTEAD change their code--where unscoped variables could resolve to such scopes, so that they NAME the scope in which the variable should be found.

Again, it's NOT that ALL unscoped variables need to be changed.  See my comments here from yesterday or my blog post. 

Hope that helps. But again, ensure, let's hear what Adobe may have to say. 

@Sergei L. By "*This option is highly discouraged and should be considered only as a temporary workaround, until all application code is fixed." we mean this - Implicit searching of unscoped variables (list of affected scopes is added in the technote) poses a significant threat, and due to the internally discovered vulnerabilities associated with it, we have set this to false by default. As this is a major change that could break existing code, the jvm flag/setting to true at application level will aid in easing into the fix.

This is "highly discouraged" as the fix will be reverted while you are setting it to true, which we do not recommend from security standpoint, and this is "temporary" as the jvm flag will be removed in the next release and would no longer have the capability to revert the fix

@megha1997 Can doing below be considered safe?

<cfparam name ="step" default="">

<cfif isDefined("form.step")>
<cfset step=form.step>
</cfif>

<cfif isDefined("url.step")>
<cfset step=url.step>
</cfif>

Doing that will greatly help fix our code faster. But does that still pose significant threat? Or is it acceptable?

@Charlie Arehart Do you have any input on the above workaround I posted? Thanks!

There's absolutely nothing I can see to be concerned about with that code. What is your fear? I sincerely want to understand how people are taking in what's being said.

Do you fear some line there is "vulnerable"? Which one? Line 1? And what is the vulnerability you fear? Or what compatibility issue?

Is that you feel it's somehow vulnerable to have any unscoped variable, after the update, with searchimplicitscooes false? No. You're less vulnerable. Cf can't look to resolve that line 1 check for step in any of those scopes which can be populated "from the outside", as it were, such as cookie. Before the update, or with searchimplicitscopes true, it could. 

Thanks for your input. The only reason I thought of that is because before this update, CFPARAM did exactly what my logic is doing - if Form or URL scope exists, then the cfparam variable will be assigned that value. So by replicating that same behavior, instead of adding scope everywhere, I wondered if I am still continuing the said unsafe behavior.   If I just do those isDefined checks, then I don't need to add scope to the rest of my code and everything will just work. And I wondered if that's an OK way to proceed.

@DevScreen The code you added looks good to me. 

Thanks Megha!

A further refinement, that I would recommend, is to use StructKeyExists() rather than isDefined().

As there seems to be confusion around the CVE that is shown in the ColdFusion Security Bulletin (https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html), I would like to clarify this - The Scope vulnerability was internally identified, and hence, does not contain a CVE and cannot be disclosed. CVEs are only present for those vulnerabilities that are publicly disclosed. The vulnerability "Arbitrary file system read" that you see in the bulletin is different from the one in Implicit searching of unscoped variables.

Thanks very much for that clarification. There is indeed a lot of confusion on this and other matters related to this significant update.