Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
May 13, 2025
질문

NOW LIVE! ColdFusion 2025, 2023, and 2021 May security updates

  • May 13, 2025
  • 5 답변들
  • 3262 조회

We are pleased to inform you that we've released security updates for ColdFusion 2025, 2023, and 2021 releases. For more information, see the respective tech notes:

 

These updates resolve several critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution, and security feature bypass. View the security bulletin, APSB25-52, for more information.

 

Download the updates

 

What's new in the updates

  • New JVM flags
  • Changes to remote method
  • Refreshed add-on installers
  • Pathfilter changes

 

Others

  • Bug fixes
  • Known issues

 

Docker and cffiddle

 

Please download and apply the updates and provide your feedback.

      5 답변

      S
      Segfault
      Participating Frequently
      June 12, 2025

      On a 2023 box i'm running into the problem that my scheduled tasks are missing.
      According to the patch notes this is expected, but the neo-cron.bak file that I should be able to restore is also empty.

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      June 13, 2025

      Sadly, yes. This is a long-time problem of the scheduled task mechanism, that it keeps only one generation of backup--and various things cause CF to rotate that, so that a problem can quickly make it that no good backup remains, unless you take one yourself (and few bother). I will note that the technote was modified some days after it came out to warn that "Before applying the update, take a backup of the neo-cron.xml file located in the <cf_root>/cfusion/lib directory." That's of course too late for you.

       

      If you have no server backup to revert to, then you may be out of luck with no choice but to recreate the tasks. As for what their name and URL was, you can find that info in the scheduler.log (if you told CF to log tasks, which tracks the name and time) and in the http.log (which tracks ALL calls out of CF to any url, whether via cfhttp or via a scheduled task, and which tracks the url and the time).

       

      (And if anyone may wonder if the backup folder for the update, within hf-updates, might track the neo-cron.xml file, sadly it does not. I have not ever found any of the neo*.xml files in there.)

       

      While we're on this topic, a thought would be that some people may come to realize that it could be valuable to put the neo-cron.xml files under some sort of version control--automatically detecting and saving when the file changes. But I'll add also that the CF2023 feature called CCS (or central confuguration service) would itself track backups of changes made. Again, all too late for those bit by this updaet issue already. I don't work for Adobe and had no hand in the matter, other than trying to help people once it's happened.

      /Charlie (troubleshooter, carehart. org)
      S
      Segfault
      Participating Frequently
      May 30, 2025

      The classification of this update appears to have changed silently from 3 to 1?

      And why doesn't adobe just ship an update for the mysql driver via the package manager?

      S
      Segfault
      Participating Frequently
      May 30, 2025

      I'm running into issues and had had to roll the update back/restore a snapshot. Also seing a hibernation like  error @Brian32294452d08h is dealing with that I have hard time explaining.
      Will look into this with development.
      org.hibernate.engine.jdbc.dialect.spi.DialectResolutionInfo not found by orm [197]

       

      Are there any steps to take to mitigate the reason why this patch now has priority 1?

      I've verified that adobe did indeed communicate this patch origionally as priority 3.
      Adobe really should communicate these changes.

      S
      Segfault
      Participating Frequently
      June 4, 2025

      Stopping the CF instance, clearing the Felix cache, and restarting the CF instance appears to work to temporarily get rid of this not found by ORM error.

      J
      jhansen-cf
      Inspiring
      May 30, 2025

      After applying the update, we are no longer able to edit/save scheduled tasks. The admin screen says "Invalid extension of the file name. Valid extensions are :log,txt". The work around: stop cf, edit the neo-cron.xml file, start cf, but that's not going to work long term. Please advise...

      B
      Brian32294452d08h
      Participating Frequently
      May 17, 2025

      I tried updating a couple of our servers running CF2021 U19 to CF2021 U20.

       

      The updater completed without any errors, but our applications immediately started throwing an error stating:

      Enable SessionManagement to use Session manipulation methods.

       

      This is coming from our application.cfc file, but it definitely has a line near the top of the component enabling session management:

      this.sessionmanagement = true;

       

      Additionally, there's a warning in one of the logfiles stating:

      Session management is not enabled.

       

      I also double checked the ColdFusion Administrator settings and session management is definitely enabled (using memory), as it was before we applied the update.

       

      Any ideas?  For now I've rolled back our snapshot on these 2 servers and will hold off on updating our other servers until we can figure this out.

       

      Thanks

       

       

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      May 17, 2025

      Brian, if you're concluding (or warning) that folks should beware of this happening upon updating, I can say it has not happened to any of the dozens of instances I've updated or helped others update this week. 

       

      As such, whatever is amiss for you seems quite unique. And perhaps Adobe or someone else will step in with a ready explanation/fix/workaround. Until then, I'll ask some questions. First, what platform are you on? It might be helpful to hear. 

       

      Second, you say the "updater completed without any errors". How are you measuring that? By the pop-up msg at the end? Or by the update install log within hf-updates? And did it show 0 fatalerrors and nonfatalerrors? It's possible that's where something went amiss.

       

      Next, did you confirm there weer no new errors during the startup, as tracked in the coldfusion-out.log? Look especially during the startup which followed the update. That should show uninstallation (only) or any packages update (it never shows their "installation" after that).

       

      Before you might report the various errors you may/will see, please do look also at the log's tracking of the startups BEFORE the update: we're only focusing on what errors are new on the startup AFTER the update. (And if you've since restarted cf and your issue remains, you could assess as well the startup logs for that. But look especially at the first startup after the update, which alone should have attempted the package updates.)

       

      Let us know what you find. And if no other solution comes up from others, I suspect I could help you get things working (via a remote screenshare consulting session, in perhaps as little as 15 mins, even this weekend). If I can't help, you'd not pay for my time. If we found some new bug, you could report it to Adobe. Or again they may offer you direct help,.or someone else here may provide a solution. 

      /Charlie (troubleshooter, carehart. org)
      T
      timd16029446
      Participant
      May 28, 2025

      1)   Line 130 is in our application.cfc file, and it's part of the onError function.  Line 130 is simply:

      sessionInvalidate();

       

      With line 130 commented out and allowing the onError function to dump some info out, we see the error referencing org.hibernate.HibernateException .  So we must be hitting the org.hibernate.HibernateException somehwere in our application.cfc , which then causes the onError function to be called, which then (with line 130 enabled) throws the other error about session manipulation methods.

       

      CF 2023 U5 mentions a similar org.hibernate.HibernateException error in the patch notes https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-5.html

      But I can't actually get the issue to load in the bug tracker.  I can't even search for anything in the bug tracker right now.

      https://tracker.adobe.com/#/view/CF-4218706

       

      If I select COldFusion from the drop down, it just says "Loading Form" forever. Hopefully this is a temporary issue with the bug tracker site.

       

      2)  Yes, with a very simple application.cfc it works even after a restart.

       

      3)  I'm not familiar with what this particular application is doing specifically, but the application.cfc does a lot of stuff related setting up server variables, queries, ORM-related stuff, etc.  I believe the hibernate error is a reference to the ORM stuff (https://hibernate.orghttps://helpx.adobe.com/coldfusion/developing-applications/coldfusion-orm/introducing-coldfusion-orm.html).  I don't know if it's something that we're doing that's breaking it in U20 (but is fine under U19, and somehow fine in U20 before the server VM restart), or if it's something buggy with U20.

       

      4)  I've cleared the Felix cache before in updates that mention it.  I didn't clear it for this update since I didn't see a mention of it.  I can give that a try the next time I get a window to work in.

       

      I likely won't get to look into this more until the end of next this coming week, but I'll post back as soon as I have any more info.


      I am having similar issues with our CF21 environment (Windows Server 2022).  In my testing, after applying U20 to the system, we start seeing the same error message org.hibernate.HibernateException not found by orm.  I am able to get the issue to go away after uninstalling the ORM and ORMSEARCH packages, clearing the felix cache, and then reinstalling the packages.  But the issue returns after the CF service is restarted.  I found a similar issue in CF23 per https://tracker.adobe.com/#/view/CF-4218706.  I applied the workaround of removing the javax.persistence entry from the <cfusion>/lib/exportpackages.txt file and that seems to fix the issue when the service is restarted.  Hopefully this will be resolved in a future update and I won't uncover other issues that the workaround has caused.

      R
      Roberto A.
      Inspiring
      May 15, 2025

      Just a note for others that may have this issue.

       

      For one of my clients on CF2021 Update 19, upgrading to Update 20 caused PDF errors. Issue was resolved after deleting the cfusion/bin/felix-cache folder and restarting ColdFusion (ColdFusion service needs to be stopped before deleting it).

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      May 15, 2025

      Thanks for sharing, Roberto. Yes, this has been a step frequently mentioned in recent cf update technotes. I was surprised to see it not in this one, and I hoped it meant that at least those coming from the April update maybe didn't need to.

       

      Really, I just now recommend do it after every cf update, as part of good hygiene. And I recommended it in my post this week on the update

       

      If nothing else, I hope Adobe will consider whether that suggestion to do it should be added to this latest update's technote.  And until then, let's hope this suggestion of yours helps others finding this post. 

      /Charlie (troubleshooter, carehart. org)
      약관 및 조건Accessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices