Community Manager

Question

NOW LIVE! ColdFusion 2025, 2023, and 2021 May security updates

Forum|Forum|10 months ago
May 13, 2025
5 replies
3306 views

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes:

These updates resolve several critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution, and security feature bypass. View the security bulletin, APSB25-52, for more information.

Download the updates

What's new in the updates

New JVM flags
Changes to remote method
Refreshed add-on installers
Pathfilter changes

Others

Bug fixes
Known issues

Docker and cffiddle

CFFiddle is updated.
Docker images of the update are avaiable on Docker hub and Amazon ECR.

Please download and apply the updates and provide your feedback.

Segfault

Participating Frequently

On a 2023 box i'm running into the problem that my scheduled tasks are missing.
According to the patch notes this is expected, but the neo-cron.bak file that I should be able to restore is also empty.

Charlie Arehart

Community Expert

Sadly, yes. This is a long-time problem of the scheduled task mechanism, that it keeps only one generation of backup--and various things cause CF to rotate that, so that a problem can quickly make it that no good backup remains, unless you take one yourself (and few bother). I will note that the technote was modified some days after it came out to warn that "Before applying the update, take a backup of the neo-cron.xml file located in the <cf_root>/cfusion/lib directory." That's of course too late for you.

If you have no server backup to revert to, then you may be out of luck with no choice but to recreate the tasks. As for what their name and URL was, you can find that info in the scheduler.log (if you told CF to log tasks, which tracks the name and time) and in the http.log (which tracks ALL calls out of CF to any url, whether via cfhttp or via a scheduled task, and which tracks the url and the time).

(And if anyone may wonder if the backup folder for the update, within hf-updates, might track the neo-cron.xml file, sadly it does not. I have not ever found any of the neo*.xml files in there.)

While we're on this topic, a thought would be that some people may come to realize that it could be valuable to put the neo-cron.xml files under some sort of version control--automatically detecting and saving when the file changes. But I'll add also that the CF2023 feature called CCS (or central confuguration service) would itself track backups of changes made. Again, all too late for those bit by this updaet issue already. I don't work for Adobe and had no hand in the matter, other than trying to help people once it's happened.

/Charlie (troubleshooter, carehart. org)

Segfault

Participating Frequently

The classification of this update appears to have changed silently from 3 to 1?

And why doesn't adobe just ship an update for the mysql driver via the package manager?

Segfault

Participating Frequently

I'm running into issues and had had to roll the update back/restore a snapshot. Also seing a hibernation like error @Brian32294452d08h is dealing with that I have hard time explaining.
Will look into this with development.
org.hibernate.engine.jdbc.dialect.spi.DialectResolutionInfo not found by orm [197]

Are there any steps to take to mitigate the reason why this patch now has priority 1?

I've verified that adobe did indeed communicate this patch origionally as priority 3.
Adobe really should communicate these changes.

Segfault

Participating Frequently

Stopping the CF instance, clearing the Felix cache, and restarting the CF instance appears to work to temporarily get rid of this not found by ORM error.

jhansen-cf

Inspiring

After applying the update, we are no longer able to edit/save scheduled tasks. The admin screen says "Invalid extension of the file name. Valid extensions are :log,txt". The work around: stop cf, edit the neo-cron.xml file, start cf, but that's not going to work long term. Please advise...

Brian32294452d08h

Participating Frequently

I tried updating a couple of our servers running CF2021 U19 to CF2021 U20.

The updater completed without any errors, but our applications immediately started throwing an error stating:

Enable SessionManagement to use Session manipulation methods.

This is coming from our application.cfc file, but it definitely has a line near the top of the component enabling session management:

this.sessionmanagement = true;

Additionally, there's a warning in one of the logfiles stating:

Session management is not enabled.

I also double checked the ColdFusion Administrator settings and session management is definitely enabled (using memory), as it was before we applied the update.

Any ideas? For now I've rolled back our snapshot on these 2 servers and will hold off on updating our other servers until we can figure this out.

Thanks

Charlie Arehart

Community Expert

Brian, if you're concluding (or warning) that folks should beware of this happening upon updating, I can say it has not happened to any of the dozens of instances I've updated or helped others update this week.

As such, whatever is amiss for you seems quite unique. And perhaps Adobe or someone else will step in with a ready explanation/fix/workaround. Until then, I'll ask some questions. First, what platform are you on? It might be helpful to hear.

Second, you say the "updater completed without any errors". How are you measuring that? By the pop-up msg at the end? Or by the update install log within hf-updates? And did it show 0 fatalerrors and nonfatalerrors? It's possible that's where something went amiss.

Next, did you confirm there weer no new errors during the startup, as tracked in the coldfusion-out.log? Look especially during the startup which followed the update. That should show uninstallation (only) or any packages update (it never shows their "installation" after that).

Before you might report the various errors you may/will see, please do look also at the log's tracking of the startups BEFORE the update: we're only focusing on what errors are new on the startup AFTER the update. (And if you've since restarted cf and your issue remains, you could assess as well the startup logs for that. But look especially at the first startup after the update, which alone should have attempted the package updates.)

Let us know what you find. And if no other solution comes up from others, I suspect I could help you get things working (via a remote screenshare consulting session, in perhaps as little as 15 mins, even this weekend). If I can't help, you'd not pay for my time. If we found some new bug, you could report it to Adobe. Or again they may offer you direct help,.or someone else here may provide a solution.

/Charlie (troubleshooter, carehart. org)

Charlie Arehart

Community Expert

I did a bit of testing and have some additional info:

[1] The update installer log doesn't show any errors.

Installation: Successful.

1806 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors

The only thing that isn't a clear and clean success in the file is this section where it's stopping services:

[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ColdFusion 2021 Application Server TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\ColdFusion2021\cfusion\bin\coldfusionsvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ColdFusion 2021 Application Server DEPENDENCIES : SERVICE_START_NAME : [serviceaccountname@domain]
Status: SUCCESSFUL

SERVICE_NAME: ColdFusion 2021 Application Server TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x3 WAIT_HINT : 0x3a98
Status: SUCCESSFUL

[SC] ControlService FAILED 1061:The service cannot accept control messages at this time.
Status: SUCCESSFUL

[SC] ControlService FAILED 1062:The service has not been started.
Status: SUCCESSFUL

Custom Action: com.adobe.ia.action.ServersStartStopAction
Status: SUCCESSFUL

I believe these are simply referring to the fact that we have the other CF services disabled, and only run the ColdFusion Application Server service.

[2] After the update installer finishes and services are restarted, the application (website) works without issue. Only after we restart the server (VM) itself do we get the issue. We're able to restart the server just fine on CF 2021 U19 without issue, but on CF 2021 U20 we encounter the issue.

[3] At one point, I was able to get past the "Enable SessionManagement to use Session manipulation methods." error, but I don't know how. I think it may have been related to going into CF Admin and enabling session management (even though it was already enabled) then clearing the template and component caches. After I got past this error, I ran into another error related to org.hibernate.HibernateException . This isn't the exact output, but it's similar.

Message org.hibernate.HibernateException not found by orm [198]
StackTrace java.lang.ClassNotFoundException: org.hibernate.HibernateException not found by orm [198] at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1597) at org.apache.felix.framework.BundleWiringImpl.access$300(BundleWiringImpl.java:79) at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1982) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) at coldfusion.orm.hibernate.ConfigurationManager.initConfiguration(ConfigurationManager.java:68) at coldfusion.orm.hibernate.HibernateProvider.initializeORMForApplication(HibernateProvider.java:168) at coldfusion.orm.hibernate.HibernateProvider.beforeApplicationStart(HibernateProvider.java:77) at
...

[4] In a separate folder with a barebones application.cfc and index.cfm, I don't encounter the error (either one). This works without issue and outputs the session struct/scope before and after setting the test variable. Though this is not using the session manipulation methods we normally use in our real application.cfc .

component {
this.name = "Testing";
this.sessionmanagement="Yes";
function onSessionStart() {}
function onRequestStart() {}
function onRequestEnd() {}
}

test123
<CFDUMP VAR="#session#">
<CFSET session.test = 'abc'>
<CFDUMP VAR="#session#">

[5] There are differences in log output between U19 and U20 when the server starts up. For example, coldfusion-out.log used to have something like this after server startup:

May 24, 2025 05:19:19 AM Information [main] - ColdFusion started
May 24, 2025 05:19:19 AM Information [main] - ColdFusion: application services are now available
May 24, 2025 05:19:19 AM Error [Thread-26] - Connect to 127.0.0.1:8989 [/127.0.0.1] failed: Connection refused: connect http://127.0.0.1:8989/PDFgServlet/
May 24, 2025 05:19:19 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
May 24, 2025 05:19:19 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
May 24, 2025 05:19:20 AM Information [main] - Invoked onServerStart method on CFC server
May 24, 2025 05:19:53 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HHH000412: Hibernate Core {[WORKING]}
May 24, 2025 05:19:53 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HHH000206: hibernate.properties not found
May 24, 2025 05:19:54 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HCANN000001: Hibernate Commons Annotations {5.0.1.Final}
May 24, 2025 05:19:54 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HHH000130: Instantiating explicit connection provider: coldfusion.orm.hibernate.CFConnectionProvider
May 24, 2025 05:19:54 AM Information [ajp-nio-127.0.0.1-8020-exec-3] - HHH000400: Using dialect: org.hibernate.dialect.SQLServer2012Dialect
May 24, 2025 05:19:54 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - HHH90000023: Encountered use of deprecated Connection handling settings [hibernate.connection.acquisition_mode]or [hibernate.connection.release_mode]; use [hibernate.connection.handling_mode] instead
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - HHH90000022: Hibernate's legacy org.hibernate.Criteria API is deprecated; use the JPA javax.persistence.criteria.CriteriaQuery instead
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - SQL Warning Code: 5701, SQLState: 01000
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - [Macromedia][SQLServer JDBC Driver][SQLServer]Changed database context to 'DatabaseName'.
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - SQL Warning Code: 5703, SQLState: 01000
May 24, 2025 05:19:55 AM Warning [ajp-nio-127.0.0.1-8020-exec-3] - [Macromedia][SQLServer JDBC Driver][SQLServer]Changed language setting to us_english.
May 24, 2025 05:21:00 AM Information [DefaultQuartzScheduler_Worker-1] - Task default.General - Check Server Status triggered.
May 24, 2025 05:21:00 AM Information [DefaultQuartzScheduler_Worker-1] - Starting HTTP request {URL='https://site.com/_scheduledTasks/check_server_status.cfm', method='get'}
May 24, 2025 05:21:00 AM Information [DefaultQuartzScheduler_Worker-1] - HTTP request completed  {Status Code=200 ,Time taken=219 ms}

After the update, it appears much the same, but after restart after the update, that output is changed, and is notably missing the lines mentioning "hibernate" or the SQL datasource:

May 24, 2025 10:42:26 AM Information [main] - ColdFusion started
May 24, 2025 10:42:26 AM Information [main] - ColdFusion: application services are now available
May 24, 2025 10:42:27 AM Error [Thread-26] - Connect to 127.0.0.1:8989 [/127.0.0.1] failed: Connection refused: connect http://127.0.0.1:8989/PDFgServlet/
May 24, 2025 10:42:27 WARN [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
May 24, 2025 10:42:27 AM Warning [main] - Unable to determine dialect of the StAX implementation at jar:file:/C:/ColdFusion2021/cfusion/lib/bundleaxis/wstx-asl-3.2.9.jar!/
May 24, 2025 10:42:28 AM Information [main] - Invoked onServerStart method on CFC server
May 24, 2025 10:42:29 AM Warning [ajp-nio-127.0.0.1-8020-exec-1] - Session management is not enabled.
May 24, 2025 10:42:29 AM Warning [ajp-nio-127.0.0.1-8020-exec-8] - Session management is not enabled.
May 24, 2025 10:42:29 AM Warning [ajp-nio-127.0.0.1-8020-exec-8] - No paths found for key 'bytecodeexectuionpaths' in pathfilter.json
May 24, 2025 10:42:29 AM Error [ajp-nio-127.0.0.1-8020-exec-8] - Enable SessionManagement to use Session manipulation methods. The specific sequence of files included or processed is: C:\inetpub\wwwroot\site.com\index.cfm, line: 130
May 24, 2025 10:42:29 AM Error [ajp-nio-127.0.0.1-8020-exec-1] - Enable SessionManagement to use Session manipulation methods. The specific sequence of files included or processed is: C:\inetpub\wwwroot\site.com\index.cfm, line: 130
May 24, 2025 10:42:47 AM Information [http-nio-8500-exec-3] - Session rotated successfully.
May 24, 2025 10:42:49 AM Information [http-nio-8500-exec-10] - Starting HTTP request {URL='https://www.adobe.com/go/coldfusion-updates', method='get'}
May 24, 2025 10:42:49 AM Information [http-nio-8500-exec-10] - HTTP request completed  {Status Code=200 ,Time taken=95 ms}
May 24, 2025 10:43:10 AM Information [http-nio-8500-exec-5] - Starting HTTP request {URL='https://www.adobe.com/go/coldfusion-updates', method='get'}
May 24, 2025 10:43:10 AM Information [http-nio-8500-exec-5] - HTTP request completed  {Status Code=200 ,Time taken=80 ms}
May 24, 2025 10:43:59 AM Warning [ajp-nio-127.0.0.1-8020-exec-10] - Session management is not enabled.
May 24, 2025 10:43:59 AM Error [ajp-nio-127.0.0.1-8020-exec-10] - Enable SessionManagement to use Session manipulation methods. The specific sequence of files included or processed is: C:\inetpub\wwwroot\site.com\index.cfm, line: 130

I grabbed the entire log folder and will look into this further next week alongside one of our devs. I may file a ticket with Adobe.

[6] I can find no reference of the "Enable SessionManagement to use Session manipulation methods" error message in our own code.

I'll continue to update with anything I figure out.

Brian, thanks for the update and you've shared a lot that I and others could respond to. But let's start with something simple.

1) In your last point you refer to the code failing (with these session errors) because of line 130 of index.cfm, at the indicated path. Have you checked that? If so, what is it doing that has to do with sesion vars? We DO want to know (for now) what code it is that's failing. (I realize it may well be ANYTHING to do with using session vars. We want to KNOW.)

1a) On the other hand, you may say that either there IS no line 130 in that file, or no CFML on that line 130, or that whatever CFML is there seems to have absolutely nothing to do with this error. This is a common problem, but you CAN find the CORRECT file: see the exception.log (in the same cfusion/logs as other CF logs). What does THAT say is the actual file, whose line 130 has the error? And what does that line do? Can you share it? Or if not, can you tell readily what it says it's doing?

2) You say you created a test folder with a simplified application.cfc, and it works. That's great. And you do confirm that works after a box restart as well, right? (That's very odd that you have ANY issue that occurs ONLY after a box restart and not just a CF restart alone. For now, let's leave that one alone.) I just mean to say it seems in your interest to confirm that this test app works after such a box restart. Please confirm.

3) But you say also about this test app that it "is not using the session manipulation methods we normally use in our real application.cfc ." I'm very curious to hear what you are referring to there. Again, I'd said I'd never heard the term "session manipulation methods", until you mentioned initially here that you were getting the error, "Enable SessionManagement to use Session manipulation methods."

So what ARE those "session manipultion methods" that you "know" are in the real app and not this test one? What happens if you add even ONE of them to this test app? And please tell us what it is. (And is it what you find gets reported as being on line 130 above?)

4) Finally, again focusing for now on just this error, you've not indicated in any of your notes if you had done what's discussed in comments here BEFORE yours (and in recent technotes), about the value of "clearing the felix cache". If you know what that is, had you done it after the update?

If you don't know about it, it's the recommendation (in some CF update technotes and being made generally by folks like myself to do after ALL CF updates) where you stop CF, delete the folder cfusion/bin/felix-cache (no need to "save it"), then restart CF (which will recreate it and all its contents). It has to do with clearing out java jars and classes implemented by CF based on whatever CF package versions you had that may have changed.

4a) Then do your tests again: the real app, the test app, and confirming also if they work after a box restart (not merely a cf restart, since you say that's its own issue.

Looking forward to hearing what you

/Charlie (troubleshooter, carehart. org)

Roberto A.

Inspiring

Just a note for others that may have this issue.

For one of my clients on CF2021 Update 19, upgrading to Update 20 caused PDF errors. Issue was resolved after deleting the cfusion/bin/felix-cache folder and restarting ColdFusion (ColdFusion service needs to be stopped before deleting it).

Charlie Arehart

Community Expert

Thanks for sharing, Roberto. Yes, this has been a step frequently mentioned in recent cf update technotes. I was surprised to see it not in this one, and I hoped it meant that at least those coming from the April update maybe didn't need to.

Really, I just now recommend do it after every cf update, as part of good hygiene. And I recommended it in my post this week on the update.

If nothing else, I hope Adobe will consider whether that suggestion to do it should be added to this latest update's technote. And until then, let's hope this suggestion of yours helps others finding this post.

/Charlie (troubleshooter, carehart. org)

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded