Community Manager

질문

NOW LIVE! ColdFusion 2025, 2023, and 2021 July security updates

Forum|Forum|6 months ago
July 8, 2025
2 답변들
3552 조회

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes:

The updates include a newer version of Tomcat, important security fixes that mitigate vulnerabilities related to arbitrary file reads, code execution, privilege escalation, and security feature bypass.

View the security bulletin, APSB25-69, for more information.

Download the updates

What's new in the updates

Tomcat upgrade
New JVM flag
Changes to remote methods
OEM upgrades

Others

Bug fixes
Known issues

Docker and CFFiddle

CFFiddle is updated with the changes.
Docker images of the update are avaiable on Docker hub and Amazon ECR.

Please download and apply the updates and provide your feedback.

I

IT- Dani33671629ivjj

Participant

We are getting this error on pages that use cfmail after updating from 2021 Update 20 to 2021 Update 21. We updated to Java 11.0.27 when we updated to 2021 Update 20. CF admin verifies that the connection to the mail server is successful.

Bad type on operand stack
Exception Details:
Location:
coldfusion/mail/MailImpl.signMail(Ljavax/mail/internet/MimeMessage;Ljavax/mail/Session;)Ljavax/mail/internet/MimeMessage; @238: invokevirtual
Reason:
Type 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' (current frame, stack[1]) is not assignable to 'org/bouncycastle/asn1/ASN1Encodable'
Current Frame:
bci: @238
flags: { }
locals: { 'coldfusion/mail/MailImpl', 'javax/mail/internet/MimeMessage', 'javax/mail/Session', 'java/security/KeyStore', '[Ljava/security/cert/Certificate;', 'java/security/PrivateKey', 'org/bouncycastle/asn1/ASN1EncodableVector', 'java/security/cert/X509Certificate', 'java/lang/String', 'org/bouncycastle/asn1/cms/IssuerAndSerialNumber' }
stack: { 'org/bouncycastle/asn1/ASN1EncodableVector', 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' }

M

marktb

Participant

We fixed ours by cleaning the felix cache

Stop Coldfusion
delete the cfusion/bin/felix-cache directory
Start Coldfusion

A

Adam21882425uwu2

Participant

This fixes the same issue in ColdFusion 2023 as well.

This should probably be added to the known issues for ColdFusion (2023 release) Update 15.

paulm1677332

Inspiring

Hi,

We're using latest 2023 docker image on our dev sites and from the logs it was looking for some user interaction to install some packages.

"One or more packages require the server to be at update 15. Since the server is at update 14, upgrading the server to update 15." Then it asks to "Do you want to proceed? Press N to stop. Press Y to proceed:" As its autodeployed it just hangs at this point and out sites didnt work. There was only 2 packages deployed and we install allModules as part of the build. Do we need to wait for new docker image or is there another workaround to get things building automatically again?

Thanks

Charlie Arehart

Community Expert

Paul, there are a couple of ways to look at what you've presented--and yes, a workaround, though we should better understand and confirm your problem as well.

First, as you may know the new docker images for each update tend to come out a couple days after the update's initial release.

That said, one should be able to do the update (or package updates) within the container...but like with a regular cf instance, that needs to be able to access the Adobe servers which hold the update files. And it's not unusual for a container environment to be configured such that IT CANNOT make outbound network requests, as a security protection.

And just as with a regular cf instance, the update technotes do discuss how one can instead perform a manual offline update, which entails a couple extra steps. Those could work in a container.

But it's indeed odd that you say this message "just happened" unexpectedly: it would normally happen only to someone (with any form of cf deployment) who somehow told cf to update to a package whose version was higher than the current update level of cf (what they refer to in the admin Package Management ui as the "core" update.)

If you look at your dockerfile, compose file, or kubernetes manifest (whatever means you're starting cf as a container), you should find you have the installModules env var set to name what packages you want implemented (Or you may find an importModules, which names a file listing the packages to be implemented.) Those package names can include version numbers, but I'd not expect yours to already name the next version--and I'd not expect it to "automatically seek the highest available version".

Anyway, let us know your value for that env var. And note that for now you could workaround this problem by instead setting that env var to name the update 14 version of those packages, thus "pinning" the package version. Again, you should not have to do that.

Then let's see if Adobe or others have more to offer. I also hope to setup a demo if your situation, especially with whatever values you have for installModules or importModules.

/Charlie (troubleshooter, carehart. org)

paulm1677332

Inspiring

Hi Charlie,

The relevant lines in the dockerfile are

FROM public.ecr.aws/adobe/coldfusion:latest-2023 AS base

ENV installModules all
We build the image then push to AWS and everything gets started via a service and task. No issues at all until yesterday evening. If I login to the CF Admin I see that only 2 modules are installed. I need to login to the container and install sqlserver to get the sites up and running.
Paul

가입하기

소셜 로그인

커뮤니티에 로그인

소셜 로그인

파일을 바이러스 검사 중입니다.

이 파일은 다운로드할 수 없습니다