NOW LIVE! Adobe ColdFusion 2023 and 2021 March 2024 security updates

Saurav (or others at Adobe), please change the update technote, which has very unfortunate erroneous wording in its introduction of the change regarding implicit scope searching. It says:

Starting with this update, ColdFusion will default to searchimplicitscopes=FALSE and if a variable name is not prefixed with a scope identifier, an error is returned.

That last phrase is NOT true. It's not that ANY unscoped variable will fail.

Instead, it's that an unscoped variable will fail if can ONLY be resolved by one of the scopes now blocked by the change (such as form, url, cookie, and such, which can be modified from outside the request). But if such an unscoped variable CAN be resolved by a scope that's local to the request (like variables, local, arguments, the query scope, and such), then it will NOT error (and does NOT "need" to be scoped, though it can be useful if it is.)

The wording above (on both technotes for CF2023 and 2021) should be changed to NOT say that "if a variable name is not prefixed with a scope identifier, an error is returned". That's not accurate.

We have installed ColdFusion 2021 Update 13 from command line (as server cannot access the internet).

The ColdFusion services are running using a service account (XXX). The commands are run from PowerShell running as the service account. We have used this method for the last few updates.

After the installation is completed we see the following warning in the hotfix log:

Move Folder:              Destination: C:\Users\XXX\109052.tmp\dist\cfusion
                          Status: WARNING
                          Additional Notes: WARNING - There was a problem copying C:\Users\XXX\109052.tmp\dist\cfusion

We have done a quick check of the application and CF Admin and it seems to be working but are concerned there may still be an issue. Before running installer, we stop ColdFusion services and IIS website.

What could be causing this warning?

Currently, as of 10:13 GMT the URL 'cfmodules.adobe.com/bundlesdependency.json' is missing the update 13 packages. The update of my live system to 13 this morning via CFAdmin applied the core update but none of the packages, it removed the existing packages which have been flagged for update by Adobe. After re-installing the Administrator package via CFPM I noticed it installed version 11 and not 13, this is when I checked the packagesurl and noticed its missing any reference to update 13. This worked fine in my Dev environment on Wednesday (13th). For whatever reason it looks like the online version of bundlesdependency.json is incorrect.

I also noticed when viewing the Update 13 URL from any other region than US (uk for example), the links to the hotfix installer and zip repository go to hotfix version 12.

We are testing Update 13 and it seems that cfhtmltopdf has changed or is broken in this release. We are generating receipts for our customers, and this no longer works, still worked ok with Update 12.

Now we get this error (partial log from coldfusion-error.log):

SEVERE: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [ROOT CAUSE:
coldfusion.runtime.EventHandlerException: Event handler exception.

Caused by: java.lang.NoClassDefFoundError: coldfusion/image/Image
at coldfusion.pdf.PDFServiceImpl.applyExtraAttributesForWebkit(PDFServiceImpl.java:172)
at coldfusion.tagext.htmltopdf.HtmlToPdfTag.applyExtraAttributesForWebkit(HtmlToPdfTag.java:1351)
at coldfusion.tagext.htmltopdf.HtmlToPdfTag.handlePDFgConversionRequest(HtmlToPdfTag.java:1316)
at coldfusion.tagext.htmltopdf.HtmlToPdfTag.convertToPDF(HtmlToPdfTag.java:1236)
at coldfusion.tagext.htmltopdf.HtmlToPdfTag.doEndTag(HtmlToPdfTag.java:1414)

Saurav, Can you tell us if Adobe support discourage us from using the flag -Dcoldfusion.searchimplicitscopes=true (whether in the application scope or in the JVM) because doing so will negate Adobe's fix for CVE-2024-20767 "Arbitrary file system read" (re-opening that vulnerability) or will only make code not compatible with future CF versions?

This is in reference to footnote at ColdFusion (2023 release) Update 7 (adobe.com) which reads *This option is highly discouraged and should be considered only as a temporary workaround, until all application code is fixed.

I noted that updating your JVM file is one of the solutions but will be deprecated in the next major release.  How about updating the application.CFC file?  Will that CFC fix continue to work in the next major release?  We have a lot of code that will need updating and maybe done by next release, but it would still be nice to know if Application.cfc change will continue to work.  Thanks!

This makes <cfparam> much less useful if using with FORM and URL scope.  For example, <cfparam name="step" default="1">  Then mypage.cfm?step=2 would have changed that "step" to 2 automatically, but not anymore.  Now you need to add <cfif isDefined("url.step")><cfset step=url.step></cfif>   So what is the need for <cfparam> in this case after this update?  I could have <cfset step=1>  instead and have the same effective with isDefined() check.   This change takes away my main use for <cfparam>.  

The hash for Update 7 at the link below does not seem to match the JAR file.  Is the file still good to use?

• ColdFusion (2023 release) Updates

Saurav, thanks for that update to the technotes today, with the key affected scopes and code sample. For any wanting more clarification, see the comments in this thread from yesterday.

I'd also done a blog post last night sharing similar info and more, for any interested.

I feel some better explanation of the scope change is needed.  Are we now required to scope all variables, even those declared in the same script?  Realizing scoping is best practice, many may have some older code that lacks some variable scopes.

For instance, will the following code throw an error when searchimplicitscopes=FALSE?

<cfoutput>
<cfloop from="1" to="5" index="i">
    #i#
</cfloop>
</cfoutput>

If the above code errors, does the above code need be rewritten to be?

<cfoutput>
<cfloop from="1" to="5" index="i">
    #variables.i#
</cfloop>
</cfoutput>