Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
April 8, 2025
Question

NOW LIVE! ColdFusion 2025, 2023, and 2021 April security updates

  • April 8, 2025
  • 10 replies
  • 5462 views

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes:

 

These updates resolve several critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution, and security feature bypass. View the security bulletin, APSB25-15, for more information.

 

Download the updates

 

What's new in the updates

  • New JVM flags
  • Refreshed add-on installers
  • IP filtering for cfhtmltopdf
  • Central Configuration Server changes
  • cfencode removal for the 2023 and 2021 updates

 

Others

  • Bug fixes
  • Known issues

 

Docker and cffiddle

  • Will be updated shortly. We'll update the post.

 

Please download and apply the updates and provide your feedback.

      10 replies

      T
      TheRealMC
      Inspiring
      May 5, 2025

      After installing Update 19 to CF2021 Update 18, then uninstalling it, it appears that CFSPREADSHEET functionality gets broken.

       

      After looking at the install and uninstall logs for update 19, it looks like C:\ColdFusion2021\cfusion\lib\xalan.jar was deleted during the Update 19 uninstall, even though it wasn't installed when Update 19 was installed.

       

      To reproduce:

      1. Using the ColdFusion Administrator, install Update 19 onto ColdFusion 2021 Update 18.

      2. Using the ColdFusion Administrator, uninstall Update 19.

      3. Execute the following code:

       

      <cfset testSheet = SpreadsheetNew("Test", true) />
<cfspreadsheet action="write" filename="C:\temp\test.xlsx" name="testSheet" sheetname="Test" />

       

      The error returned in the coldfusion-error.log is:

       

      May 05, 2025 11:33:25 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [ROOT CAUSE: javax.xml.transform.TransformerFactoryConfigurationError: Provider org.apache.xalan.processor.TransformerFactoryImpl not found

      ...

       

      Copying the missing file from a server that is still on Update 18 without having gone through the update 19 install/uninstall process resolves the issue. However, I'm concerned that other files may have been erroneously deleted during the uninstall process.

       

      I've filed a bug report at:

      https://tracker.adobe.com/#/view/CF-4226427 

       

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      April 30, 2025

      For folks who find that the PDF services feature (and the related add-on service) have trouble after the update, note that the update technotes for CF2023 update 13 and CF2021 update 19 have been updated, with a new last item in the "known issues" section to address one of the issues.

       

      You'll see it offers the few steps needed to correct the problem of missing files in the cfusion\jetty\webapps\PDFgServlet\WEB-INF\classes\coldfusion\pdf\service. Note that the process offers a zip (for each version) with the needed class files, rather than the approach of downloading and extracting from the full add-on services installer which was a workaround some had helpfully offered. This doesn't address the issue of the missing jetty-ipaccess.xml filethat some experience (though not everyone).

       

      I'm just a fellow traveler/messenger here: I have nothing to do with the work Adobe's doing sorting out these problems.

      /Charlie (troubleshooter, carehart. org)
        R
        Roberto A.
        Inspiring
        April 17, 2025

        Hello,

         

        After applying ColdFusion (2021 release) Update 19, I started receiving PDF server errors when trying to use cfhtmltopdf.

         

        I tried updating the server manager,  and now get the following error:

        • Error adding PDF Service Manager. Please ensure that you have entered a correct PDF Service hostname and port.
          Check logs for more details.

         

        In the application log, I see the following:

         

        coldfusion.pdfg.jetty.PDFGServiceImpl$LocalServiceManagerException: You are not allowed to add Local service manager.

         

        In server log, I see the following:

         

        "Information","Thread-33","04/16/25","22:51:52","","PDFg service manager http://127.0.0.1:8993/PDFgServlet/ registered."
        "Error","Thread-33","04/16/25","22:51:53","","Error while registering/unregistering Service manager. Reason is Keys are not loaded properly."

         

        I had a default installation on localhost, 127.0.0.1. port 8993.

         

        I am not using the standalone PDFg service.

         

        Please advise.

         

        Thanks.

         

        Robert

         

        R
        Roberto A.
        Inspiring
        April 17, 2025

        Issue has been resolved by reinstalling the add-on services.

        L
        Legorol
        Participating Frequently
        April 14, 2025

        I note that the Lockdown installers have also been refreshed, not just the AddOn installers.

        Adobe, please note that the Linux 64-bit Server Auto-Lockdown Installer does not match the provided MD5 value of 2a6fe83e712e4a203c4c4cf4cd68ad8b 

        Vikram_Kumar_M
        Adobe Employee
        Vikram_Kumar_M
        Adobe Employee
        April 14, 2025

        @Legorol It appears to be correct; please try re-downloading the installer and share the MD5 value again if it's different.

        L
        Legorol
        Participating Frequently
        April 14, 2025

        @Vikram_Kumar_M I'm afraid it appears incorrect to me. I am referring to the 2025 version.

        Just to confirm, the page I am downloading from:

        https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0

        The download link for the 2025 Lockdown Linux installer:

        https://cfdownload.adobe.com/pub/adobe/coldfusion/2025/lockdown/ColdFusion_2025_Lockdown_WWEJ_linux64.bin

        The checksums are in:

        https://cfdownload.adobe.com/pub/adobe/coldfusion/2025/lockdown/MD5_Checksum_Lockdown.txt

        I have tried the download several times. The checksum I am getting is b5263ce9af11a14966dcb8dcc139090c, as opposed to what's in the text file above which is 2a6fe83e712e4a203c4c4cf4cd68ad8b.

        S
        Sergei L.
        Participant
        April 11, 2025

        I believe an incorrect MD5 hash is also listed for hotfix-packages-cf2023-013-330759.zip.  The download package now has an additional file "felixclassloader-2023.0.0.330468.jar" which was not in the packages archive on 4/9 when the hash matched the original archive.

        S
        SBcoder
        Participant
        April 11, 2025

        I installed the refreshed CF 2021 Windows 64-bit Add-on Services Standalone Installer in the default "ColdFusionAdd-onServices" folder, and wanted to reinstall it in the "<cf root>/cfusion/jetty" folder, but there's no way to uninstall since there is no Uninstall.exe file in its uninstall folder.

         

        I see the following error in the install log:

         

        Install Uninstaller:      Adobe ColdFusion 2021 Add-on Services(Install All Uninstaller Components)
                          Status: ERROR
                          Additional Notes: ERROR - Flexeraaq6$aaa: No zip file found for entry: Z_/installers/InstallAnywhere5/installerimages/cf_app.ico
                                            ERROR - Error writing LaunchAnywhere components (Access Denied)

         

        I redownloaded the installer and tried on a different computer, and still get the same error and cannot uninstall. It sounds like there might be a problem with the installer.

        Charlie Arehart
        Community Expert
        Charlie ArehartCommunity Expert
        Community Expert
        April 11, 2025

        I can confirm getting the same problem that @SBcoder had reported regarding the uninstaller for the CF2021 add-on service installer, as offered on the Adobe CF downloads page and section for it today.  I can offer a few more thoughts--and I end with a suggestion of how you should be able to get this uninstalled if you're not wanting to await a perhaps better answer from Adobe or others. 

         

        First, I do get the exact same error in the install log (and it reports in the tracking of successes and fatalerrors near the top as being a nonfatalerror. And to be clear, the installer UI did show on the last screen, "The installation of Adobe ColdFusion (2021 Release) Add-on Services is finished, but some errors occurred during the install. Please see the installation log for details.")

         

        And lest anyone propose, "on Windows you can just use the 'add or remove programs feature'". that fails as well when trying to uninstall this app, reporting "Windows cannot find ‘D:\ColdFusion2021 Add-onServices\uninstall\Uninstall.exe’."

         

        And if you may suggest we "just use the uninstaller.jar in the addonservices folder, via java -jar uninstaller.jar", I tried that too and it reported, "no main manifest attribute, in uninstaller.jar". I'm afraid I'm out of time to dig further for now, but I leave this for others to consider (such as to compare the uninstaller.jar of a previously installed addonservice, and perhaps even just to try that--though I supect there ,may be more amiss about other files in that uninstall folder that would preclude that simple a solution). 

         

        But finally, unless someone finds a way to get it to work or if sbcoder can't wait, I'll note that you CAN uninstall things manually. It's just a couple of steps.

        1. First, technically the folder created by the installer ("ColdFusionAdd-onServices", as sbcoder noted it) can be deleted. There's no other folder that addonservices installer touches. You would need to stop the Windows service for it, of course (and close any editors, command lines, etc. working with that folder).
        2. As for that service, you'll also want to delete that. Open an Admin command prompt and use, "sc delete "ColdFusion2021Add-onServices"" (or change the name if you somehow have a different name for your service.) You may want to first double-check the properties of the service (right-click it and choose "properties") to confirm before deleting it that it is indeed pointing to the new addon service folder, as opposed to being a service of the same name implemented by the full CF installer if you have it implement the addon service.
        3. Finally, you'll still see the newly added separate add-on service listed in the Windows "add or remove programs". To make that disappear, delete its registry entry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe ColdFusion 2021 Add-on Services.

         

        Granted those are a bit too fiddly/risky for some. I jsut wanted to give you something in case no one offers a better solution.

         

        If you do take the last approach, let us know how it goes. But I hope Adobe will be looking into this, since we both have experienced it. (I can also confirm I did NOT have the same problem with the CF2023 add-on service installer which I downloaded today and tried also.)

        /Charlie (troubleshooter, carehart. org)
        S
        SBcoder
        Participant
        April 12, 2025

        Hi Charlie, thanks for confirming the error and for providing the steps to do a manual uninstall!

         

        I don't have any urgent need to uninstall, so I'll wait for Adobe to hopefully release a fixed installer. I want to install directly over the existing installation (I actually installed twice using the "bad" installer, thinking the error was initially a fluke), uninstall cleanly, and then install again but specify the "jetty" folder as the target.

        M
        mb159
        Participant
        April 10, 2025

        Since the update (CF2023 Windows), CCS has stopped functioning. We attempted to delete and re-add the nodes, and the terminal indicates that the node was added successfully.

         

        However, the log files on the CCS server display the following error: "[main] CCS ERROR - com.restfb.json.JsonException: JsonObject["jeecontext"] not found."

        Additionally, the servers show the message: "error: Node is not registered in CCS."

         

        Has anyone else encountered this issue?

        S
        suchikas62675445
        Participant
        April 11, 2025

        Hi,

         

        Was your update applied successfully? Can you stop ccs server,clear your felix-cache and then start ccs server?

        What does listnodes return, you might want to delete the nodes and re-register them ? Also can you check the content of <cfusion_home>/lib/ccs/nodes.properties. Is your CF a standalone or deployed on some application server?

        Charlie Arehart
        Community Expert
        Charlie ArehartCommunity Expert
        Community Expert
        April 11, 2025

        Also, check if the ccs package was/is installed. It's one of the packages updated in this update (in cf2023, though not in 2025 from my checking things), and it may have failed to be updated. See the cf admin "package manager" page or use the command line cfpm tool, to either add or update it. 

        /Charlie (troubleshooter, carehart. org)
        M
        matthew_0510
        Participating Frequently
        April 10, 2025

        Is anyone else experiencing issue with CFZIP after CF2021u19 update? I received success message during install and no failed log items, but several sites that use CFZIP are now reporting the following error: "Cannot find implementation class coldfusion.tagext.zip.ZipTag for the zip tag." I reverted back to snapshot taken just before the update and the sites/functionality works fine so it seems to be directly related to the update. 

          H
          Adobe Employee
          hannah18
          Adobe Employee
          April 11, 2025

          Hi @matthew_0510 ,

          Can you please provide a standalone repro for the same? 

          M
          matthew_0510
          Participating Frequently
          April 11, 2025

          Thank you. This is a DOD instance, so I cannot provide. I can describe the scenario in a little more detail and provide a stacktrace from the error.   

           

          And just to reiterate, the error described does *not* occur in the CF2021u18 (verified); it didn't occur until after we updated to u19. U19 install log reported:  

           
          1716 Successes
          0 Warnings
          0 NonFatalErrors
          0 FatalErrors

           

          The error is triggered in onApplicationStart() object creation of a CFC. Target CFC contains a CFZIP tag (at the line number provided in the error). 

           

          Error reads: "Cannot find implementation class coldfusion.tagext.zip.ZipTag for the zip tag"  

           

          StackTrace:
          java.lang.ClassNotFoundException:
          coldfusion.tagext.zip.ZipTag
          at coldfusion.bootstrap.BootstrapClassLoader.loadClass(BootstrapClassLoader.java:303)
          at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
          at coldfusion.jsp.JRunTagLibraryInfo.getTagClass(JRunTagLibraryInfo.java:326)
          at coldfusion.compiler.TagNode.getTagClass(TagNode.java:237)
          at coldfusion.compiler.SemanticAnalyzer.preTransformCftag(SemanticAnalyzer.java:688)
          at coldfusion.compiler.SemanticAnalyzer.preTransform(SemanticAnalyzer.java:59)
          at coldfusion.compiler.Treewalker.postorder(Treewalker.java:24)
          at coldfusion.compiler.Treewalker.postorder(Treewalker.java:29)
          at coldfusion.compiler.Treewalker.postorder(Treewalker.java:29)
          at coldfusion.compiler.NeoTranslator.parseAndTransform(NeoTranslator.java:512)
          at coldfusion.compiler.NeoTranslator.translateJava(NeoTranslator.java:454)
          at coldfusion.compiler.NeoTranslator.translateJava(NeoTranslator.java:205)
          at coldfusion.runtime.TemplateClassLoader$TemplateCache$1.fetch(TemplateClassLoader.java:527)
          at coldfusion.util.LruCache.get(LruCache.java:180)
          at coldfusion.runtime.TemplateClassLoader$TemplateCache.fetchSerial(TemplateClassLoader.java:453)
          at coldfusion.util.AbstractCache.fetch(AbstractCache.java:58)
          at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:153)
          at coldfusion.util.SoftCache.get(SoftCache.java:92)
          at coldfusion.runtime.TemplateClassLoader.findClass(TemplateClassLoader.java:721)
          at coldfusion.filter.PathFilter.invoke(PathFilter.java:145)
          at coldfusion.filter.IpFilter.invoke(IpFilter.java:45)
          at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:97)
          at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
          at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
          at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60)
          at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
          at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
          at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
          at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151)
          at coldfusion.CfmServlet.service(CfmServlet.java:231)
          at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311)
          at jdk.internal.reflect.GeneratedMethodAccessor70.invoke(Unknown Source)
          at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.base/java.lang.reflect.Method.invoke(Method.java:566)
          at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
          at java.base/java.security.AccessController.doPrivileged(AccessController.java:688)
          at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
          at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
          at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:142)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:197)
          at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:128)
          at java.base/java.security.AccessController.doPrivileged(AccessController.java:551)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:127)
          at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46)
          at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)
          at jdk.internal.reflect.GeneratedMethodAccessor67.invoke(Unknown Source)
          at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.base/java.lang.reflect.Method.invoke(Method.java:566)
          at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
          at java.base/java.security.AccessController.doPrivileged(AccessController.java:688)
          at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
          at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
          at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166)
          at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:128)
          at java.base/java.security.AccessController.doPrivileged(AccessController.java:551)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:127)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
          at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:448)
          at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
          at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
          at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
          at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
          at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
          at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
          at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
          at java.base/java.lang.Thread.run(Thread.java:834)

           

          N
          neochuck
          Participating Frequently
          April 8, 2025

          If you are on CF 2023 and perform this update, it will not create the <cfusion_root>/etc/jetty/jetty-ipaccess.xml file as described here (https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-g-h/cfhtmltopdf.html). If you have a default configuration for your jetty server and pdf services to run on local host. Create the file in the path above with the following:

          <Configure id="Server" class="org.eclipse.jetty.server.Server">
	<Call name="insertHandler">
		<Arg>
			<New id="IPAccessHandler" class="org.eclipse.jetty.server.handler.IPAccessHandler">
				<Set name="white">
					<Array type="String">
						<Item>127.0.0.1</Item>
					</Array>
				</Set>
				<Set name="black">
					<Array type="String">
						<Item>0.0.0.0/0</Item>
					</Array>
				</Set>
				<Set name="whiteListByPath">false</Set>
			</New>
		</Arg>
	</Call>
</Configure>

          It will allow the Jetty server to start and to access your solr collections.

           

          M
          Adobe Employee
          megha1997
          Adobe Employee
          April 9, 2025

          Hi @neochuck, Ideally the file should have been created by hotfix. Could you please check the hotfix installation logs (inside <cf_root>/hf-updates) for any failure?

          N
          neochuck
          Participating Frequently
          April 9, 2025

          There were no errors during the installation process, the file is listed in the log going into a tmp directory, but the file ultimately did not make it to its final location.

          D
          df49654116
          Participant
          April 8, 2025

          I believe there is an incorrect MD5 hash listed for the jar file for Update 19 on https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-updates.html

          Vikram_Kumar_M
          Adobe Employee
          Vikram_Kumar_M
          Adobe Employee
          April 8, 2025

          @df49654116 Thanks, we are fixing it.

          Terms & ConditionsAccessibility statement
          Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices