NOW LIVE! ColdFusion 2025, 2023, and 2021 April security updates

@df49654116 Thanks, we are fixing it.

Hi @neochuck, Ideally the file should have been created by hotfix. Could you please check the hotfix installation logs (inside <cf_root>/hf-updates) for any failure?

There were no errors during the installation process, the file is listed in the log going into a tmp directory, but the file ultimately did not make it to its final location.

Okay.. Could you please share the below information?

1) OS details

2) ColdFusion update you were on before applying Update 13

3) If you could attach the hotfix install log file, that would be helpful

What would be the best way to securely send that log and information to you?

@neochuck Please share it via email at cfsup@adobe.com

I have sent and email with the requested information.

@neochuck We took a look at the hotfix install logs. Could you please share info on how you installed the update? Could you also please share hotfix-filelist from hf-updates/<version>/ folder to the same email id?

And besides that file list log, can you check the install log (same folder) at about line 70? Does it show 0 fatalerrors and 0 nonfatalerrors? 

That was the file I was looking at and it had this

824 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors

I had the same problem on my Windows laptop with a missing jetty-ipaccess.xml file. However, the path I had to put the jetty-ipaccess.xml file in was <cfusion_root>/jetty/etc instead of <cfusion_root>/etc/jetty/

My installation logs also showed no problems and showed a temporary version of the jetty-ipaccess.xml file being created but the file never got installed. 

You are correct, I had a typo in my folder path on the original post.

@neochuck @vkristpm If you could run java -DLAX_DEBUG=true -jar hotfix.jar, we should get some debug logs, which would help us check where its going wrong.

I had the exact situation as neochuck (thanks for your post!), and his solution works perfectly for me. 

ColdFusion2023Add-onServices  would not start

megha1997 asked:

"Could you please share the below information?"

Mine:

1) OS details ...W2K19 Server v1809

2) ColdFusion update you were on before applying Update 13

    I was on HF 11 and upgraded to HF 13 (I had skipped HF12 since it was mitigated another way)

    Then I tried going from HF 11 to HF 12 to HF 13 

      SAME ERROR in both cases 

Also, 0 fatal and 0 non-fatal errors in both above scenarios.

Hi @matthew_0510 ,

Can you please provide a standalone repro for the same? 

Thank you. This is a DOD instance, so I cannot provide. I can describe the scenario in a little more detail and provide a stacktrace from the error.   

And just to reiterate, the error described does *not* occur in the CF2021u18 (verified); it didn't occur until after we updated to u19. U19 install log reported:  

The error is triggered in onApplicationStart() object creation of a CFC. Target CFC contains a CFZIP tag (at the line number provided in the error). 

Error reads: "Cannot find implementation class coldfusion.tagext.zip.ZipTag for the zip tag"  

StackTrace:
java.lang.ClassNotFoundException:
coldfusion.tagext.zip.ZipTag
at coldfusion.bootstrap.BootstrapClassLoader.loadClass(BootstrapClassLoader.java:303)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
at coldfusion.jsp.JRunTagLibraryInfo.getTagClass(JRunTagLibraryInfo.java:326)
at coldfusion.compiler.TagNode.getTagClass(TagNode.java:237)
at coldfusion.compiler.SemanticAnalyzer.preTransformCftag(SemanticAnalyzer.java:688)
at coldfusion.compiler.SemanticAnalyzer.preTransform(SemanticAnalyzer.java:59)
at coldfusion.compiler.Treewalker.postorder(Treewalker.java:24)
at coldfusion.compiler.Treewalker.postorder(Treewalker.java:29)
at coldfusion.compiler.Treewalker.postorder(Treewalker.java:29)
at coldfusion.compiler.NeoTranslator.parseAndTransform(NeoTranslator.java:512)
at coldfusion.compiler.NeoTranslator.translateJava(NeoTranslator.java:454)
at coldfusion.compiler.NeoTranslator.translateJava(NeoTranslator.java:205)
at coldfusion.runtime.TemplateClassLoader$TemplateCache$1.fetch(TemplateClassLoader.java:527)
at coldfusion.util.LruCache.get(LruCache.java:180)
at coldfusion.runtime.TemplateClassLoader$TemplateCache.fetchSerial(TemplateClassLoader.java:453)
at coldfusion.util.AbstractCache.fetch(AbstractCache.java:58)
at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:153)
at coldfusion.util.SoftCache.get(SoftCache.java:92)
at coldfusion.runtime.TemplateClassLoader.findClass(TemplateClassLoader.java:721)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:145)
at coldfusion.filter.IpFilter.invoke(IpFilter.java:45)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:97)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62)
at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:151)
at coldfusion.CfmServlet.service(CfmServlet.java:231)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311)
at jdk.internal.reflect.GeneratedMethodAccessor70.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:688)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:142)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:197)
at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:128)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:551)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:127)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47)
at jdk.internal.reflect.GeneratedMethodAccessor67.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:688)
at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:128)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:551)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:127)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:448)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:834)

Thanks @matthew_0510 for the details provided. I would need some more information like what action was performed using the cfzip tag. 

At the stage in which the error is occurring, it's not performing any action... it's just (I guess) reviewing the code in the CFC to generate the object. It works like this (for illustration only; line numbers simulated):  

In Application.cfc onApplicationStart():  

20: <cffunction name="onApplicationStart" returntype="boolean"> 

...

45: <cfset APPLICATION.objSomething = createObject("component","mycfc.cfc") /> 

... 

60: </cffunction> 

In mycfc.cfc:  

210: <cffunction name="buildZip"> 

211:  <cfargument name="filepath" />

212: <cfargument name="filesource" />

...

234: <cfzip file="#ARGUMENTS.filepath#" source="#ARGUMENTS.filesource#" /> 

...

240: </cffunction> 

Given the line numbers above, the error is showing as line 234 on mycfc.cfc during the onApplicationStart() object creation of the 'APPLICATION.objSomething'.  

I hope that helps. I've also reached out to CF Support, but not heard back (just sharing that in case there's you have any collaboration with that team). Thank you. 

@matthew_0510 Thanks for the details. But, I was unable to reproduce the issue from my side. The support team will reach out to you and help you with the same. 

Thanks,

Rochelle

@matthew_0510, I may have a different take on your problem.

1) As for what might get things working, look first at the "package manager" page of the cf admin, and its lists of installed and available packages. In those, find the zip package. Is it installed? If so, is its version number the latest available in its version list. 

If you install or update it, do things now work? 

3) As for "what happened" and how could you have known this might be the issue? 

While you indicated that you'd observed that the "U19 install log reported" having 0 fatalerrors and nonfatalerrors, you need to go a step further starting with cf2021. At the bottom of that log, it would report if any packages were due to be updated. Is the zip package listed?

Then note how that discussion (of packages to be updated) indicates that the actual package update would take place on the next cf startup. If you look at the coldfusion-out.log file for the hundred or so lines from the time of that post-update startup, look for the zip package. Does it show it failed to be installed for any reason?

Curious if any of this helps. It's just a guess, but I've seen it happen. 

Thank you, Charlie. I will check those suggestions out today and report back. I've also heard back from support team, so hopefully I'll get something resolved.