NOW LIVE! ColdFusion 2025, 2023, and 2021 May security updates

Thanks for sharing, Roberto. Yes, this has been a step frequently mentioned in recent cf update technotes. I was surprised to see it not in this one, and I hoped it meant that at least those coming from the April update maybe didn't need to.

Really, I just now recommend do it after every cf update, as part of good hygiene. And I recommended it in my post this week on the update. 

If nothing else, I hope Adobe will consider whether that suggestion to do it should be added to this latest update's technote.  And until then, let's hope this suggestion of yours helps others finding this post. 

Brian, if you're concluding (or warning) that folks should beware of this happening upon updating, I can say it has not happened to any of the dozens of instances I've updated or helped others update this week. 

As such, whatever is amiss for you seems quite unique. And perhaps Adobe or someone else will step in with a ready explanation/fix/workaround. Until then, I'll ask some questions. First, what platform are you on? It might be helpful to hear. 

Second, you say the "updater completed without any errors". How are you measuring that? By the pop-up msg at the end? Or by the update install log within hf-updates? And did it show 0 fatalerrors and nonfatalerrors? It's possible that's where something went amiss.

Next, did you confirm there weer no new errors during the startup, as tracked in the coldfusion-out.log? Look especially during the startup which followed the update. That should show uninstallation (only) or any packages update (it never shows their "installation" after that).

Before you might report the various errors you may/will see, please do look also at the log's tracking of the startups BEFORE the update: we're only focusing on what errors are new on the startup AFTER the update. (And if you've since restarted cf and your issue remains, you could assess as well the startup logs for that. But look especially at the first startup after the update, which alone should have attempted the package updates.)

Let us know what you find. And if no other solution comes up from others, I suspect I could help you get things working (via a remote screenshare consulting session, in perhaps as little as 15 mins, even this weekend). If I can't help, you'd not pay for my time. If we found some new bug, you could report it to Adobe. Or again they may offer you direct help,.or someone else here may provide a solution. 

Thanks for the reply.

We're on Windows Server.  When I say the update completed without errors, I'm only referring to the pop-up message at the end.

The first server I updated worked fine (and the site / application tested fine afterward).  I proceeded to update two more servers.

The first server that worked fine is different from the other two that had the issue.  The first server's application (website) only relies on application.cfm style processing.  The other two rely on application.cfc.

On all three servers, the window at the end of the update installation said installation was successful, I logged into ColdFusion Administrator and verified the new version number for the core server and for all of the packages that were updated in this patch, then I initiated a reboot of the server VM and waited for the server to come back up.

I didn't check the update installer log specifically, but will the next time I try the update.  I did check the coldfusion logs for message on service startup, and I didn't see anything new that would explain anything that wasn't present from past service startups.  These are production servers and I was working in a narrow maintenance window at midnight, so I didn't want to spend too much time digging around blindly.  I was focused on restoring the services.  I'll try to schedule a longer maintenance window for the next attempt, in antiticpation of this happening again and needing to be investigated.

I'll update here likely in a week, hopefully with a solution but at least with more information from logs and testing.

Thanks for the clarification. So first, I want to note that the update install log would still be available for you to assess, even though you uninstalled the update (unless of course you reverted a backup or snapshot).

But then again I'm now starting to wonder if this is indeed an error in cf itself. The fact that you're saying it happens only with application.cfc. That just doesn't sound like a problem that CF alone report. Indeed, that led me to search for the two error messages you reported, "Enable SessionManagement to use Session manipulation methods" and "Session management is not enabled".  I don't find a single occurrence of them. But they sure sounded like cf errors. :-). I'm wondering if instead they're your own error messages (from your app, I mean). I realize that may seem unlikely. 🙂 

But let's just have you try something, which will take only a moment: create a new folder, and in that create an Application.cfc, and in that just set sessionmanagement="true".  Then create an index.cfm or another file and have it try to set a session var.  If it works, then it would sure seem that what you're getting is not a cf error. 

Further, I can't even fathom what's meant by the message reporting it can't "use Session manipulation methods".  There are no "Session manipulation methods" in cf that I can think of.

Let's see what you may find and take it from there. 

I rolled back the update by rolling back the entire server (VM snapshot), so the update installer log isn't available.  I should have grabbed it before rolling back, but I was focused on restoring everything to operational status.

My plan is to try again with a longer maintenance window, look at the log, and then do as you suggested with a separate folder, minimal application.cfc, and minimal index.cfm to start sanity checking.  I'm not fully familiar with the application.cfc we have currently, but there was no change recently, and the current version of what we have worked fine on Update 18 and Update 19.  I did check it when I encountered the error, and this.sessionmanagement = true; was definitely at the top of the component definition, so I have no clue why we'd be getting an error to the contrary.

I'll follow up as soon as I get a chance to try again.

Ok on all that. In the meantime, you could at least take a chance and use a tool to search all your cf files (*.cf*)looking for the quoted text of either of those error messages.

Better editors (better than notepad) can do that fairly easily and quickly, while tools devoted to the task can do it faster, and across even your entire drive in seconds or minutes. I'd recommend FileLocator Lite (from Mythicsoft) which is free even for prod, and should have no negative impact even if run  directly ON a prod server. (Again, quote the string to ensure it finds only that phrase and not just files with those words in any combination.) 

Let us know if you get to do that search. (I realize you may be wanting to put this all entirely on a back burner until your next maint window.) 

I did a bit of testing and have some additional info:

[1]  The update installer log doesn't show any errors.

Installation: Successful.

1806 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors

The only thing that isn't a clear and clean success in the file is this section where it's stopping services:

[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ColdFusion 2021 Application Server TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\ColdFusion2021\cfusion\bin\coldfusionsvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ColdFusion 2021 Application Server DEPENDENCIES : SERVICE_START_NAME : [serviceaccountname@domain]
Status: SUCCESSFUL

SERVICE_NAME: ColdFusion 2021 Application Server TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x3 WAIT_HINT : 0x3a98
Status: SUCCESSFUL

[SC] ControlService FAILED 1061:The service cannot accept control messages at this time.
Status: SUCCESSFUL

[SC] ControlService FAILED 1062:The service has not been started.
Status: SUCCESSFUL

[SC] ControlService FAILED 1062:The service has not been started.
Status: SUCCESSFUL

[SC] ControlService FAILED 1062:The service has not been started.
Status: SUCCESSFUL

Custom Action: com.adobe.ia.action.ServersStartStopAction
Status: SUCCESSFUL

I believe these are simply referring to the fact that we have the other CF services disabled, and only run the ColdFusion Application Server service.

[2]  After the update installer finishes and services are restarted, the application (website) works without issue.  Only after we restart the server (VM) itself do we get the issue.  We're able to restart the server just fine on CF 2021 U19 without issue, but on CF 2021 U20 we encounter the issue.

[3]  At one point, I was able to get past the "Enable SessionManagement to use Session manipulation methods." error, but I don't know how.  I think it may have been related to going into CF Admin and enabling session management (even though it was already enabled) then clearing the template and component caches.  After I got past this error, I ran into another error related to org.hibernate.HibernateException .  This isn't the exact output, but it's similar.

Message org.hibernate.HibernateException not found by orm [198]
StackTrace java.lang.ClassNotFoundException: org.hibernate.HibernateException not found by orm [198] at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1597) at org.apache.felix.framework.BundleWiringImpl.access$300(BundleWiringImpl.java:79) at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1982) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) at coldfusion.orm.hibernate.ConfigurationManager.initConfiguration(ConfigurationManager.java:68) at coldfusion.orm.hibernate.HibernateProvider.initializeORMForApplication(HibernateProvider.java:168) at coldfusion.orm.hibernate.HibernateProvider.beforeApplicationStart(HibernateProvider.java:77) at
...

[4]  In a separate folder with a barebones application.cfc and index.cfm, I don't encounter the error (either one).  This works without issue and outputs the session struct/scope before and after setting the test variable.  Though this is not using the session manipulation methods we normally use in our real application.cfc .

component {
this.name = "Testing";
this.sessionmanagement="Yes";
function onSessionStart() {}
function onRequestStart() {}
function onRequestEnd() {}
}

test123
<CFDUMP VAR="#session#">
<CFSET session.test = 'abc'>
<CFDUMP VAR="#session#">

[5]  There are differences in log output between U19 and U20 when the server starts up.  For example, coldfusion-out.log used to have something like this after server startup:

May 24, 2025 05:19:19 AM Information [main] - ColdFusion started
May 24, 2025 05:19:19 AM Information [main] - ColdFusion: application services are now available
May 24, 2025 05:19:19 AM Error [Thread-26] - Connect to 127.0.0.1:8989 [/127.0.0.1] failed: Connection refused: connect http://127.0.0.1:8989/PDFgServlet/
May 24, 2025 05:19:19 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
May 24, 2025 05:19:19 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
May 24, 2025 05:19:20 AM Information [main] - Invoked onServerStart method on CFC server
May 24, 2025 05:19:53 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HHH000412: Hibernate Core {[WORKING]}
May 24, 2025 05:19:53 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HHH000206: hibernate.properties not found
May 24, 2025 05:19:54 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HCANN000001: Hibernate Commons Annotations {5.0.1.Final}
May 24, 2025 05:19:54 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HHH000130: Instantiating explicit connection provider: coldfusion.orm.hibernate.CFConnectionProvider
May 24, 2025 05:19:54 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HHH000400: Using dialect: org.hibernate.dialect.SQLServer2012Dialect
May 24, 2025 05:19:54 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - HHH90000023: Encountered use of deprecated Connection handling settings [hibernate.connection.acquisition_mode]or [hibernate.connection.release_mode]; use [hibernate.connection.handling_mode] instead
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - HHH90000022: Hibernate's legacy org.hibernate.Criteria API is deprecated; use the JPA javax.persistence.criteria.CriteriaQuery instead
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - SQL Warning Code: 5701, SQLState: 01000
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - [Macromedia][SQLServer JDBC Driver][SQLServer]Changed database context to 'DatabaseName'.
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - SQL Warning Code: 5703, SQLState: 01000
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - [Macromedia][SQLServer JDBC Driver][SQLServer]Changed language setting to us_english.
May 24, 2025 05:21:00 AM Information [DefaultQuartzScheduler_Worker-1] - Task default.General - Check Server Status triggered.
May 24, 2025 05:21:00 AM Information [DefaultQuartzScheduler_Worker-1] - Starting HTTP request {URL='https://site.com/_scheduledTasks/check_server_status.cfm', method='get'}
May 24, 2025 05:21:00 AM Information [DefaultQuartzScheduler_Worker-1] - HTTP request completed  {Status Code=200 ,Time taken=219 ms}

After the update, it appears much the same, but after restart after the update, that output is changed, and is notably missing the lines mentioning "hibernate" or the SQL datasource:

May 24, 2025 10:42:26 AM Information [main] - ColdFusion started
May 24, 2025 10:42:26 AM Information [main] - ColdFusion: application services are now available
May 24, 2025 10:42:27 AM Error [Thread-26] - Connect to 127.0.0.1:8989 [/127.0.0.1] failed: Connection refused: connect http://127.0.0.1:8989/PDFgServlet/
May 24, 2025 10:42:27 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
May 24, 2025 10:42:27 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
May 24, 2025 10:42:28 AM Information [main] - Invoked onServerStart method on CFC server
May 24, 2025 10:42:29 AM Warning [ajp-nio-127.0.0.1-8020-exec-1] - Session management is not enabled.
May 24, 2025 10:42:29 AM Warning [ajp-nio-127.0.0.1-8020-exec-8] - Session management is not enabled.
May 24, 2025 10:42:29 AM Warning [ajp-nio-127.0.0.1-8020-exec-8] - No paths found for key 'bytecodeexectuionpaths' in pathfilter.json
May 24, 2025 10:42:29 AM Error [ajp-nio-127.0.0.1-8020-exec-8] - Enable SessionManagement to use Session manipulation methods. The specific sequence of files included or processed is: C:\inetpub\wwwroot\site.com\index.cfm, line: 130
May 24, 2025 10:42:29 AM Error [ajp-nio-127.0.0.1-8020-exec-1] - Enable SessionManagement to use Session manipulation methods. The specific sequence of files included or processed is: C:\inetpub\wwwroot\site.com\index.cfm, line: 130
May 24, 2025 10:42:47 AM Information [http-nio-8500-exec-3] - Session rotated successfully.
May 24, 2025 10:42:49 AM Information [http-nio-8500-exec-10] - Starting HTTP request {URL='https://www.adobe.com/go/coldfusion-updates', method='get'}
May 24, 2025 10:42:49 AM Information [http-nio-8500-exec-10] - HTTP request completed  {Status Code=200 ,Time taken=95 ms}
May 24, 2025 10:43:10 AM Information [http-nio-8500-exec-5] - Starting HTTP request {URL='https://www.adobe.com/go/coldfusion-updates', method='get'}
May 24, 2025 10:43:10 AM Information [http-nio-8500-exec-5] - HTTP request completed  {Status Code=200 ,Time taken=80 ms}
May 24, 2025 10:43:59 AM Warning [ajp-nio-127.0.0.1-8020-exec-10] - Session management is not enabled.
May 24, 2025 10:43:59 AM Error [ajp-nio-127.0.0.1-8020-exec-10] - Enable SessionManagement to use Session manipulation methods. The specific sequence of files included or processed is: C:\inetpub\wwwroot\site.com\index.cfm, line: 130

I grabbed the entire log folder and will look into this further next week alongside one of our devs.  I may file a ticket with Adobe.

[6]  I can find no reference of the "Enable SessionManagement to use Session manipulation methods" error message in our own code.

I'll continue to update with anything I figure out.

Brian, thanks for the update and you've shared a lot that I and others could respond to. But let's start with something simple.

1) In your last point you refer to the code failing (with these session errors) because of line 130 of index.cfm, at the indicated path. Have you checked that? If so, what is it doing that has to do with sesion vars? We DO want to know (for now) what code it is that's failing. (I realize it may well be ANYTHING to do with using session vars. We want to KNOW.) 

1a) On the other hand, you may say that either there IS no line 130 in that file, or no CFML on that line 130, or that whatever CFML is there seems to have absolutely nothing to do with this error. This is a common problem, but you CAN find the CORRECT file: see the exception.log (in the same cfusion/logs as other CF logs). What does THAT say is the actual file, whose line 130 has the error? And what does that line do? Can you share it? Or if not, can you tell readily what it says it's doing?

2) You say you created a test folder with a simplified application.cfc, and it works. That's great. And you do confirm that works after a box restart as well, right? (That's very odd that you have ANY issue that occurs ONLY after a box restart and not just a CF restart alone. For now, let's leave that one alone.) I just mean to say it seems in your interest to confirm that this test app works after such a box restart. Please confirm.

3) But you say also about this test app that it "is not using the session manipulation methods we normally use in our real application.cfc ."  I'm very curious to hear what you are referring to there. Again, I'd said I'd never heard the term "session manipulation methods", until you mentioned initially here that you were getting the error, "Enable SessionManagement to use Session manipulation methods."

So what ARE those "session manipultion methods" that you "know" are in the real app and not this test one? What happens if you add even ONE of them to this test app? And please tell us what it is. (And is it what you find gets reported as being on line 130 above?)

4) Finally, again focusing for now on just this error, you've not indicated in any of your notes if you had done what's discussed  in comments here BEFORE yours (and in recent technotes), about the value of "clearing the felix cache". If you know what that is, had you done it after the update?

If you don't know about it, it's the recommendation (in some CF update technotes and being made generally by folks like myself to do after ALL CF updates) where you stop CF, delete the folder cfusion/bin/felix-cache (no need to "save it"), then restart CF (which will recreate it and all its contents). It has to do with clearing out java jars and classes implemented by CF based on whatever CF package versions you had that may have changed.

4a) Then do your tests again: the real app, the test app, and confirming also if they work after a box restart (not merely a cf restart, since you say that's its own issue.

Looking forward to hearing what you 

1)   Line 130 is in our application.cfc file, and it's part of the onError function.  Line 130 is simply:

sessionInvalidate();

With line 130 commented out and allowing the onError function to dump some info out, we see the error referencing org.hibernate.HibernateException .  So we must be hitting the org.hibernate.HibernateException somehwere in our application.cfc , which then causes the onError function to be called, which then (with line 130 enabled) throws the other error about session manipulation methods.

CF 2023 U5 mentions a similar org.hibernate.HibernateException error in the patch notes https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-5.html

But I can't actually get the issue to load in the bug tracker.  I can't even search for anything in the bug tracker right now.

https://tracker.adobe.com/#/view/CF-4218706

If I select COldFusion from the drop down, it just says "Loading Form" forever. Hopefully this is a temporary issue with the bug tracker site.

2)  Yes, with a very simple application.cfc it works even after a restart.

3)  I'm not familiar with what this particular application is doing specifically, but the application.cfc does a lot of stuff related setting up server variables, queries, ORM-related stuff, etc.  I believe the hibernate error is a reference to the ORM stuff (https://hibernate.org / https://helpx.adobe.com/coldfusion/developing-applications/coldfusion-orm/introducing-coldfusion-orm...).  I don't know if it's something that we're doing that's breaking it in U20 (but is fine under U19, and somehow fine in U20 before the server VM restart), or if it's something buggy with U20.

4)  I've cleared the Felix cache before in updates that mention it.  I didn't clear it for this update since I didn't see a mention of it.  I can give that a try the next time I get a window to work in.

I likely won't get to look into this more until the end of next this coming week, but I'll post back as soon as I have any more info.

I am having similar issues with our CF21 environment (Windows Server 2022).  In my testing, after applying U20 to the system, we start seeing the same error message org.hibernate.HibernateException not found by orm.  I am able to get the issue to go away after uninstalling the ORM and ORMSEARCH packages, clearing the felix cache, and then reinstalling the packages.  But the issue returns after the CF service is restarted.  I found a similar issue in CF23 per https://tracker.adobe.com/#/view/CF-4218706.  I applied the workaround of removing the javax.persistence entry from the <cfusion>/lib/exportpackages.txt file and that seems to fix the issue when the service is restarted.  Hopefully this will be resolved in a future update and I won't uncover other issues that the workaround has caused.

Thanks for the info.

If I get time later I'll try to (re)report this bug to Adobe.

FYI I've posted something to the tracker - https://tracker.adobe.com/#/view/CF-4226718 .

timd16029446 please add any relevant info from your end and vote for the issue.

Awesome, I voted for it and will copy my info over as well.  Thanks for making the tracker request.

Also added to this, running into similiar orm err that can be worked around with the same felix cache procedure.

I'm running into issues and had had to roll the update back/restore a snapshot. Also seing a hibernation like  error @Brian32294452d08h is dealing with that I have hard time explaining.
Will look into this with development.
org.hibernate.engine.jdbc.dialect.spi.DialectResolutionInfo not found by orm [197]

Are there any steps to take to mitigate the reason why this patch now has priority 1?

I've verified that adobe did indeed communicate this patch origionally as priority 3.
Adobe really should communicate these changes.

Stopping the CF instance, clearing the Felix cache, and restarting the CF instance appears to work to temporarily get rid of this not found by ORM error.

When you say "temporarily", does that mean the issue recurs if you restart the CF service (or the server itself)?

I believe that's the same behavior timd16029446 saw.

Does anyone know if there are any knock-on effects of removing the javax.persistence entry from the <cfusion>/lib/exportpackages.txt file that timd16029446 mentioned as a more permanent workaround?

Thanks

I have been running the workaround for over a week and my team hasn't seen any side effects so far.  But that is just our environment.

I was convinced i've seen it break again after reboot, but so far not able to reproduce that behavior on a test system i've setup to troubleshoot this.
Development is still working on some other issues with our applications, when that's done and tested i'll do this upgrade again on the main server and relay any feedback I have here.