NOW LIVE! ColdFusion 2025, 2023, and 2021 April security updates

Report · Apr 08, 2025

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes:

These updates resolve several critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution, and security feature bypass. View the security bulletin, APSB25-15, for more information.

Download the updates

What's new in the updates

New JVM flags
Refreshed add-on installers
IP filtering for cfhtmltopdf
Central Configuration Server changes
cfencode removal for the 2023 and 2021 updates

Others

Bug fixes
Known issues

Docker and cffiddle

Will be updated shortly. We'll update the post.

Please download and apply the updates and provide your feedback.

Report · Apr 18, 2025

Thank you again for your reply, Charlie. I do have a little more cause background and a workaround after working with ColdFusion support.

My understanding is that this should only affect you if you're using CFZIP and/or CFFTP. I'm only addressing the CFZIP side of this because I don't use CFFTP; but, I'd assume the same workaround would also fix CFFTP.

From what I can tell, the root of the problem is that the file '\bundles\repo\bcprov-jdk18on-1.78.1.jar' is being removed during the hotfix process. And that file is a dependency for both the Zip and FTP packages.

If you encounter an issue with CFZIP after the update19 hotfix, try the following:
1. Stop the ColdFusion service(s)
2. Copy 'bcprov-jdk18on-1.78.1.jar' from '\cfusion\hf-updates\hf-2021-00019-330379\bundles\repo' to '\cfusion\bundles\repo'
3. Restart the ColdFusion service(s)
4. Confirm the Zip package is installed and re-test your CFZIP code instances

This resolved the situation for me and at least one other customer CF support was working with.

Report · Apr 10, 2025

Since the update (CF2023 Windows), CCS has stopped functioning. We attempted to delete and re-add the nodes, and the terminal indicates that the node was added successfully.

However, the log files on the CCS server display the following error: "[main] CCS ERROR - com.restfb.json.JsonException: JsonObject["jeecontext"] not found."

Additionally, the servers show the message: "error: Node is not registered in CCS."

Has anyone else encountered this issue?

Report · Apr 10, 2025

Hi,

Was your update applied successfully? Can you stop ccs server,clear your felix-cache and then start ccs server?

What does listnodes return, you might want to delete the nodes and re-register them ? Also can you check the content of <cfusion_home>/lib/ccs/nodes.properties. Is your CF a standalone or deployed on some application server?

Report · Apr 11, 2025

Also, check if the ccs package was/is installed. It's one of the packages updated in this update (in cf2023, though not in 2025 from my checking things), and it may have failed to be updated. See the cf admin "package manager" page or use the command line cfpm tool, to either add or update it.

/Charlie (troubleshooter, carehart. org)

Report · Apr 14, 2025

Hi Charlie, Thanks for your response.
I verified that the CCS package is installed and updated to the latest version within the ColdFusion Administrator. I also attempted to uninstall and reinstall the package to see if that would resolve the issue; however, the problem persists. Unfortunately, I am not seeing any information in the logs to help identify the root cause or to provide more information here.

Report · Apr 14, 2025

In CF 2025 , SSL support with CCS was released with the major version release . Hence CCS package was not updated for CF 2025

Report · Apr 14, 2025

We are running CCS on a standalone ColdFusion instance, and the update was applied successfully.

I followed your instructions; however, the issue persists.

After removing all entries from the nodes.properties file and attempting to add a node again, I am now encountering a different error.

Exception in thread "main" java.lang.NoSuchMethodError: 'void coldfusion.centralconfig.server.CentralConfigServerManager.addNode(java.lang.String, java.lang.String, java.lang.String, java.lang.String)'
at coldfusion.centralconfig.server.cli.CCSCli.addNode(CCSCli.java:250)
at coldfusion.centralconfig.server.cli.CCSCli.takeCommands(CCSCli.java:160)
at coldfusion.centralconfig.server.cli.CCSCli.interactiveMode(CCSCli.java:22)
at coldfusion.centralconfig.server.CentralConfigServer.main(CentralConfigServer.java:74)

Thank you for your help in debugging this.

Report · Apr 14, 2025

Hi ,

Can you check if cfcentralconfigserver.jar (inside <CFUSION_HOME>/bin) is updated after applying the update , the timestamp should have been updated? Also , have you cleared the felix-cache and then relaunched CCS CLI? Clear felix-cache , re-launch CCS CLI . Start CCS Server and then add nodes. Can you share the command that you are using to add CF node?

Thanks,

Suchika.

Report · Apr 11, 2025

I installed the refreshed CF 2021 Windows 64-bit Add-on Services Standalone Installer in the default "ColdFusionAdd-onServices" folder, and wanted to reinstall it in the "<cf root>/cfusion/jetty" folder, but there's no way to uninstall since there is no Uninstall.exe file in its uninstall folder.

I see the following error in the install log:

Install Uninstaller:      Adobe ColdFusion 2021 Add-on Services(Install All Uninstaller Components)
                          Status: ERROR
                          Additional Notes: ERROR - Flexeraaq6$aaa: No zip file found for entry: Z_/installers/InstallAnywhere5/installerimages/cf_app.ico
                                            ERROR - Error writing LaunchAnywhere components (Access Denied)

I redownloaded the installer and tried on a different computer, and still get the same error and cannot uninstall. It sounds like there might be a problem with the installer.

Report · Apr 11, 2025

I can confirm getting the same problem that @SBcoder had reported regarding the uninstaller for the CF2021 add-on service installer, as offered on the Adobe CF downloads page and section for it today. I can offer a few more thoughts--and I end with a suggestion of how you should be able to get this uninstalled if you're not wanting to await a perhaps better answer from Adobe or others.

First, I do get the exact same error in the install log (and it reports in the tracking of successes and fatalerrors near the top as being a nonfatalerror. And to be clear, the installer UI did show on the last screen, "The installation of Adobe ColdFusion (2021 Release) Add-on Services is finished, but some errors occurred during the install. Please see the installation log for details.")

And lest anyone propose, "on Windows you can just use the 'add or remove programs feature'". that fails as well when trying to uninstall this app, reporting "Windows cannot find ‘D:\ColdFusion2021 Add-onServices\uninstall\Uninstall.exe’."

And if you may suggest we "just use the uninstaller.jar in the addonservices folder, via java -jar uninstaller.jar", I tried that too and it reported, "no main manifest attribute, in uninstaller.jar". I'm afraid I'm out of time to dig further for now, but I leave this for others to consider (such as to compare the uninstaller.jar of a previously installed addonservice, and perhaps even just to try that--though I supect there ,may be more amiss about other files in that uninstall folder that would preclude that simple a solution).

But finally, unless someone finds a way to get it to work or if sbcoder can't wait, I'll note that you CAN uninstall things manually. It's just a couple of steps.

First, technically the folder created by the installer ("ColdFusionAdd-onServices", as sbcoder noted it) can be deleted. There's no other folder that addonservices installer touches. You would need to stop the Windows service for it, of course (and close any editors, command lines, etc. working with that folder).
As for that service, you'll also want to delete that. Open an Admin command prompt and use, "sc delete "ColdFusion2021Add-onServices"" (or change the name if you somehow have a different name for your service.) You may want to first double-check the properties of the service (right-click it and choose "properties") to confirm before deleting it that it is indeed pointing to the new addon service folder, as opposed to being a service of the same name implemented by the full CF installer if you have it implement the addon service.
Finally, you'll still see the newly added separate add-on service listed in the Windows "add or remove programs". To make that disappear, delete its registry entry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe ColdFusion 2021 Add-on Services.

Granted those are a bit too fiddly/risky for some. I jsut wanted to give you something in case no one offers a better solution.

If you do take the last approach, let us know how it goes. But I hope Adobe will be looking into this, since we both have experienced it. (I can also confirm I did NOT have the same problem with the CF2023 add-on service installer which I downloaded today and tried also.)

/Charlie (troubleshooter, carehart. org)

Report · Apr 11, 2025

Hi Charlie, thanks for confirming the error and for providing the steps to do a manual uninstall!

I don't have any urgent need to uninstall, so I'll wait for Adobe to hopefully release a fixed installer. I want to install directly over the existing installation (I actually installed twice using the "bad" installer, thinking the error was initially a fluke), uninstall cleanly, and then install again but specify the "jetty" folder as the target.

Report · Apr 11, 2025

Understandable. And I hope for the same, sure. 🙂

/Charlie (troubleshooter, carehart. org)

Report · Apr 17, 2025

On a whim, I checked the latest MD5 file for the installer today and noticed it was different than before, so I downloaded the installer again. I installed it in the default "ColdFusionAdd-onServices" folder without error, and was able to uninstall successfully. Then I installed it in the CF21 "jetty" folder without error.

Report · Apr 11, 2025

I believe an incorrect MD5 hash is also listed for hotfix-packages-cf2023-013-330759.zip. The download package now has an additional file "felixclassloader-2023.0.0.330468.jar" which was not in the packages archive on 4/9 when the hash matched the original archive.

Report · Apr 14, 2025

I note that the Lockdown installers have also been refreshed, not just the AddOn installers.

Adobe, please note that the Linux 64-bit Server Auto-Lockdown Installer does not match the provided MD5 value of 2a6fe83e712e4a203c4c4cf4cd68ad8b

Report · Apr 14, 2025

@Legorol It appears to be correct; please try re-downloading the installer and share the MD5 value again if it's different.

Report · Apr 14, 2025

@Vikram_Kumar_M I'm afraid it appears incorrect to me. I am referring to the 2025 version.

Just to confirm, the page I am downloading from:

https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#cf-download0

The download link for the 2025 Lockdown Linux installer:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2025/lockdown/ColdFusion_2025_Lockdown_WWEJ_linux6...

The checksums are in:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2025/lockdown/MD5_Checksum_Lockdown.txt

I have tried the download several times. The checksum I am getting is b5263ce9af11a14966dcb8dcc139090c, as opposed to what's in the text file above which is 2a6fe83e712e4a203c4c4cf4cd68ad8b.

Report · Apr 14, 2025

@Legorol I just verified in Ubuntu OS, and it seems to be correct.

root@bbb5ff29-724b-4785-bc04-af639482e70f:/opt# wget https://cfdownload.adobe.com/pub/adobe/coldfusion/2025/lockdown/ColdFusion_2025_Lockdown_WWEJ_linux6...
--2025-04-14 19:59:03-- https://cfdownload.adobe.com/pub/adobe/coldfusion/2025/lockdown/ColdFusion_2025_Lockdown_WWEJ_linux6...
Resolving cfdownload.adobe.com (cfdownload.adobe.com)... 23.41.28.199
Connecting to cfdownload.adobe.com (cfdownload.adobe.com)|23.41.28.199|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 224435776 (214M) [application/octet-stream]
Saving to: 'ColdFusion_2025_Lockdown_WWEJ_linux64.bin'

ColdFusion_2025_Lockdown_WWEJ_linux64.b 100%[=============================================================================>] 214.04M 277MB/s in 0.8s

2025-04-14 19:59:04 (277 MB/s) - 'ColdFusion_2025_Lockdown_WWEJ_linux64.bin' saved [224435776/224435776]

root@bbb5ff29-724b-4785-bc04-af639482e70f:/opt# md5sum ColdFusion_2025_Lockdown_WWEJ_linux64.bin
2a6fe83e712e4a203c4c4cf4cd68ad8b ColdFusion_2025_Lockdown_WWEJ_linux64.bin

Thanks,

Vikram

Report · Apr 14, 2025

Thank you @Vikram_Kumar_M for double checking, I was able to successfully download it in the end.

Report · Apr 16, 2025

Hello,

After applying ColdFusion (2021 release) Update 19, I started receiving PDF server errors when trying to use cfhtmltopdf.

I tried updating the server manager, and now get the following error:

Error adding PDF Service Manager. Please ensure that you have entered a correct PDF Service hostname and port.
Check logs for more details.

In the application log, I see the following:

coldfusion.pdfg.jetty.PDFGServiceImpl$LocalServiceManagerException: You are not allowed to add Local service manager.

In server log, I see the following:

"Information","Thread-33","04/16/25","22:51:52","","PDFg service manager http://127.0.0.1:8993/PDFgServlet/ registered."
"Error","Thread-33","04/16/25","22:51:53","","Error while registering/unregistering Service manager. Reason is Keys are not loaded properly."

I had a default installation on localhost, 127.0.0.1. port 8993.

I am not using the standalone PDFg service.

Please advise.

Thanks.

Robert

Report · Apr 17, 2025

Issue has been resolved by reinstalling the add-on services.

Report · Apr 30, 2025

For folks who find that the PDF services feature (and the related add-on service) have trouble after the update, note that the update technotes for CF2023 update 13 and CF2021 update 19 have been updated, with a new last item in the "known issues" section to address one of the issues.

You'll see it offers the few steps needed to correct the problem of missing files in the cfusion\jetty\webapps\PDFgServlet\WEB-INF\classes\coldfusion\pdf\service. Note that the process offers a zip (for each version) with the needed class files, rather than the approach of downloading and extracting from the full add-on services installer which was a workaround some had helpfully offered. This doesn't address the issue of the missing jetty-ipaccess.xml filethat some experience (though not everyone).

I'm just a fellow traveler/messenger here: I have nothing to do with the work Adobe's doing sorting out these problems.

/Charlie (troubleshooter, carehart. org)

Report · May 05, 2025

After installing Update 19 to CF2021 Update 18, then uninstalling it, it appears that CFSPREADSHEET functionality gets broken.

After looking at the install and uninstall logs for update 19, it looks like C:\ColdFusion2021\cfusion\lib\xalan.jar was deleted during the Update 19 uninstall, even though it wasn't installed when Update 19 was installed.

To reproduce:

1. Using the ColdFusion Administrator, install Update 19 onto ColdFusion 2021 Update 18.

2. Using the ColdFusion Administrator, uninstall Update 19.

3. Execute the following code:

<cfset testSheet = SpreadsheetNew("Test", true) />
<cfspreadsheet action="write" filename="C:\temp\test.xlsx" name="testSheet" sheetname="Test" />

The error returned in the coldfusion-error.log is:

May 05, 2025 11:33:25 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [ROOT CAUSE: javax.xml.transform.TransformerFactoryConfigurationError: Provider org.apache.xalan.processor.TransformerFactoryImpl not found

...

Copying the missing file from a server that is still on Update 18 without having gone through the update 19 install/uninstall process resolves the issue. However, I'm concerned that other files may have been erroneously deleted during the uninstall process.

I've filed a bug report at:

https://tracker.adobe.com/#/view/CF-4226427