NOW LIVE! ColdFusion 2025, 2023, and 2021 September security updates

@wtlaughlin , I am not finding the link to that update jar to fail. I can offer the working link, and then below that I report a problem of a link that IS incorrect in another page about cf2023's update 16.

1) As you may have noticed, the link you show is missing a domain name. Have you tried it as the full URL, https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/packages/hotfix-packages-cf2021-022-330451.zi... That works for me. If it works, great.

As for where you found the bad link, I'll note that I don't see that shortened version (without the domain name) in any of the pages offering that download (which would be either the CF2021 update 22 technote or the page listing all the cf2021 updates (and those links for each). Can you say where you found it?

2) Then again, as a note to Saurav (who handles the docs) and other readers here: note that I DO find a mistaken link in the page of cf2023 updates for the CF2023 update 16 jar.  It offers the link as https://cfdownload.adobe.com/pub/adobe/coldfusion/2023/updates/hotfix-015-330828.jar , but see the mistake: it refers to 015 rather than 016—but the numbers following it are correct for the build number, so just changing that 15 to 16 works: https://cfdownload.adobe.com/pub/adobe/coldfusion/2023/updates/hotfix-016-330828.jar  

I confirmed that the links to the jar and zip as offered in the 3 release update technotes are correct, as are all the other links for today's updates in the pages that list all the updates for each release, with their file download links (but this one problem in my point 2 above).

It's a lot for Saurav to juggle, of course. As always, just trying to help (him and other readers).

Thanks Charlie. I've updated the link.

None of our servers are detecting an update being available in CF Administrator.

@a_1001 it's appeared on the dozen machines I've updated since yesterday afternoon (on multiple networks, between my own machines and those of some clients who've asked me to do the updates for them already) . As always, there seems to be some lag on caching issue that SOME experience, but it's not at all universal nor the majority. It usually passes within a day or two.

See more I'll have to say to w49369461 below. 

The Zip file download is working for me now, thanks. It wasn't truncated in the actual link, only in the error message; but in any case, the link is working now. It wasn't the link to the JAR file, but rather to the Zip containing the bundles, which I need for the Enterprise update: https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/packages/hotfix-packages-cf2021-022-330451.zi... (I copied and pasted the URL manually to test). Maybe the Zip file was still being uploaded at that point? I did jump on the download as soon as the announcement came through...

wt, I did understand that your focus was the zip. That's why I'd offered the link to that. Glad all is working for you now. (My reference to the JAR was for Saurav's sake, to correct as it was indeed just a bad href url.)

But yes, it can be that caching anywhere along the line (between your CF instance/testing browser and the Adobe server) could have been stale or incorrect and then corrected. Something folks should consider when they want to "jump on an update" as soon as it comes out. 🙂

Chuck, 2 things.

1) First, uep, as for your "inconsistencies" about accessing the URLs (or what's returned from them), that's a common problem for some (not everyone) in the first hours or even day after these updates are released. I assume Adobe is using some CDN, yes, or some other sort of caching within their large enterprise architecture. Sadly, some may be out of our hands (and the CF teams's.

I do find it odd that some have the problems and others don't--which makes me think it's more NOT about Adobe's server's or architecture, per se. But who can know? 🙂

2) Also yes: the feed package was updated for CF2023.

And it may help to know that Adobe does in fact offer a table at the bottom of each update technote which lists what packages are due to be updated along with the core update, for each update. (And another after that listing whether the web server connector needed to be updated, per each update.)

Of course, if one SKIPs any updates, then you get updates to whatever packages are listed below that as well, for the updates you skipped.

Better still, one could look in the CF Admin to see what packages it may list as "to be updated". Of course, some may not pay notice it--and others run the update from the commandline, not even seeing the Admin.

For either of them, one can look to the update log (created for each update, within the cfusion/hf-updates folder for the update applied). As some may know, that shows first (at about line 70) how many "successes" and "fatalerrors" happened in the update. And THEN it also lists (several lines up from the bottom) what packages (if any) were downloaded (to be updated).

And as some may know, those are then updated NOT at THAT time (during the CF update) but on the next start of CF AFTER the update. And one can see in the coldfusion-out.log that during that next startup, it will show first "uninstalling" packages and associated jars, but it won't show "installing" them. It will just show them being "started".

Each of those are useful to watch after each update.  🙂

@w49369461 that url is indeed "working" for many and showing references to yesterday's update within the xml itn returns. As I noted just now in a reply to a_1001, some people seem to experience a lag in the updated content appearing to them, for whatever reason (web caches, cdn's, etc) . The complaints about it usually passes within a day of the update. 

Have you tried the url from your phone or home? Does it have a reference to "- 022", for instance, which is part of the string describing update 22 of cf2021?

If so, you could then follow the steps to "Install the update in offline mode manually" as outlined in each update's technote. In this case you'd download the needed files (whose links are offered in the technote) onto that other machine , then copy them to the CF machine to be updated. Not fun, I realize. Or wait to see if the web caching issues clear for you. 

We have tried it from a number of locations. We have never experienced the cache lasting this long, which is why I made the comment. Just in case it is a legit issue that Adobe were not aware of.

Not seing the update on any UK devices. Servers, phones, laptops, all on various connections.  So I assume its a CDN cache. 

We will wait for a day to see if turns up, prefer this over manually doing it.

We are also UK and as per my comment above, not seeing anything in CF Admin which is what we normally use to download and apply updates. I've applied the update manually to a dev box to allow testing but woud prefer to use the CF Admin method for production.

I was able to get it for download on one our servers late last night but this morning it is not allowing download through the CF administrator on another server after I confirmed it was ready for download.

It is incredibly frustrating that Adobe keeps having issues with their updates and the numerous mistakes that happen time after time in the documentation and downloads.

@Saurav_Ghosh  Can you weigh in here, should this be caching for this long? is there an issue?

It's certainly interesting to hear you're both in the UK. I was tempted to ask originally. Will be very interesting if that clue helps anyone identify the root cause problem.

In the meantime, would any of you be in a position to change the cf update proxy settings to use a VPN the routes your traffic through a US server? (Should you have to? No. Neither should people have to suffer the pain of some medical treatments: but we weigh that against the disease.)

To be clear, the cf admin package manager page has a "settings" tab at the top, which offers this proxy option.

Or let's see what other news shakes out. 

The update is now appearing in CF Admin for download, however when I install it the Feed package is removed. Checking 'www.adobe.com/go/coldfusion-packages' there is no entry for a feed bundle for this update, at least in my region - yet, this is for CF 2021. Im going to run a manual update.

Did you happen to try just installing that feed package, vs an entire manual install of the update?

Beyond that, I have a few more suggestions related to @a_1001 's observation. 

To be clear, all 3 of this week's updates DO indicate that the feed package (alone) is to updated. (As for whether it IS updated is another question. I found on one of the versions it was not.) 

But you're saying it was/remained REMOVED after the update. I've not seen that yet among the dozen updates I've done this week.

Note that when a package IS to be updated, it is in fact first REMOVED--as tracked during the startup of cf, in the coldfusion-out.log. But while it does NOT show it being "installed" or even "updated" in that log: it only shows installed ones being "started". 

I suspect you'll find in the log that after the feed package was uninstalled, there was another message (perhaps a dozen or more lines later) indicating whatever specifically happened.

That's not new to this update (that such a package update failed can happen, and that it's logged, which could explain WHY it happened and might suggest a solution).

I just saying it might help you and others to explore a bit further. But perhaps you've already proceeded with the manual cf update--or maybe just installing the package will suffice.

I do appreciate your sharing the observed problem. I'm just trying to help with possible diagnosis and resolution. I cover that a bit more in my blog post about the update (much of which applies to any cf update). 

Thanks Charile, your insight is highly appreciated on these forums as always. I've since rolled back my server from the original attempt so no longer have the log. I've pressed on and installed manually which included the updated feeds package. However I think it may be another caching issue for the online version of the bundlesdependency, it doesnt show an entry for the updated feeds package when I open it, at least for me in the UK. Thanks.

There was an issue that I spoke with Priyank on the CFML slack channel and he manually did a CDN purge and spoke with the team that handles the bundles json. 

After that I was able to get the update and the feed package to update through the CF administrator. He was also going to open an internal ticket with the web team to see what happened and to prevent it in the future.

This *might* be resolved for you now since they did the CDN purge.

Wow, so that pretty clearly points the finger DIRECTLY at some cache Adobe controls (unless this was helped by some other amazingly coincidental change they did not perform).

If it's the former, then we not only want to cry out for them to "fix this" in a way that better resolves it going forward, but they should implement some sort of check that runs (perhaps from multiple worldwide locations), which confirms that it gets whatever is expected foe the current update--and for EACH of the files updated and downloaded by the update process.

Can you ask this of whoever you're interacting with? 

More data points on the Feed package issue. I'm running ColdFusion 2021 on Rocky Linux 8. I have the Feed package installed. There was not an indicator that the Feed package needed an update, only the Core Server reported the update notification. I applied the update last night via the CF Administrator in our dev environement and noticed that the Feed package was uninstalled during the update and it was not reinstalled.

From our log files:

Sep 10, 2025 16:32:30 PM Information [main] - Uninstalling the package feed
Sep 10, 2025 16:32:30 PM Information [main] - Uninstalling the package rome-cf-1.0
Sep 10, 2025 16:32:30 PM Information [main] - Uninstalling the package jdom-1.1.1
...
Sep 10, 2025 16:32:33 PM Information [main] - feed package will not be deployed as it is not installed.

I reinstalled the Feed package from the CF Administrator. However, the version numbers didn't seem to change.

However, the files in the bundles directory show two of the listed versions above (missing 2021.0.0.323925) and a new 2021.0.22.330451 version.

<cfroot>/bundles/feed-2021.0.02.328618.jar
<cfroot>/bundles/feed-2021.0.05.330109.jar
<cfroot>/bundles/feed-2021.0.22.330451.jar

Critic, I'll confirm I saw that also--on one cf2025 machine (only one, among a few cf2025 updates I've done since yesterday).

FWIW, I found that the files in question were identified first as missing in errors shown during the cf startup (after the update) in the coldfusion-out.log. Then I also saw them listed as files REMOVED by the update itself, as tracked in the hotfixfilelist.log, found in the hf-updates folder for that cf update. These removed files matched those listed as missing in the startup.

And like you, I "put them back" in the cf bundles/repo, as they were saved during the update in the hf-updates folder for the update, in its backup/bundles folder. Then the restart showed no errors in the coldfusion-out.log. 

It's not clear to me now why this would have happened on that one server and not the other cf2025 (nor cf2023 or cf2021) instances I updated, when they all were installed with the same (Windows) installer, each having all packages implemented, and each updated when a new update came out.

Just sharing those distinctives, if it may help others looking into it. Until then, hope the steps I offer may help someone.