[RELEASED] ColdFusion 2018/2021/2023 July 19 Security Updates

That's a curious question, which I've honestly never seen asked. In case they're slow (or may opt not) to reply, can you elaborate on your motivation? Are you assessing the timing relative to some other resource? Or relative to a vuln you found? I realize you may prefer NOT to say why you ask, but perhaps you won't mind, and it is something curious. 

I was trying to establish an timeline of how long after the update was released I had installed it.

FWIW, I got an email notification from the Adobe security mailing list at 1:47 PM ET today (July 19)

Ok, as if perhaps someone on your end is judging how quickly (or slowly) you applied the update. Wow, tough taskmasters. We'll see what Adobe may say.

As for being notified asap, not that there are a couple ways to at least know as soon as reasonably possible. (I've been writing a post on this, but being interrupted by these and the Java update yesterday).

So first, note that the Adobe security team offers a page to signup and get notified by email. That's at https://www.adobe.com/subscription/adbeSecurityNotifications.html

And FWIW, I got my email from them today at 147p us eastern.

The other way is to configure the cf admin updates page, and its "settings" tab, where you can enter the mail server and email address info. But that is not likely as timely, because it runs from within cf.. I'm not sure what triggers it checking. It may be upon cf restart or someone logging into the cf admin.

Again, I planned to find such details before I'd post on this matter. 

Fwiw, Paul's reply shows having arrived 47 seconds before mine. That's what I get for offering more than just the one answer for a question asked. 🙂 As always, just trying to help. 

Has anyone else had issue running Java 11.0.20 with ColdFusion2018/2021. 

The appplication functions but when I try to download Adobe Hotfix updates I get

Error occurred while installing the update:
Failed Signature verification

 When manually download the hotfix and try to apply it via command line I get this 

ColdFusion2018\cfusion\hf-updates>java -jar hotfix-017-330143.jar
Error: An unexpected error occurred while trying to open file hotfix-017-330143.jar

Thanks Charlie your post explaining how to use command line install of the CF update, adding that new arg (like I'd added to CF's JVM args), before the -jar arg pointing to the update jar. worked.

An example of doing that, for CF2021 update 9 (Windows users should be sure to use "run as admin" in opening the command line):

Sure enough, it worked, allowing the update to run. (If you may never have yet run the CF update jar this way, it presents a series of a couple of screen walking one through the CF update process.)

ref: Beware you can't download or install CF updates via the CF Admin after Jul 2023 JVM update - Charlie...

Marv, while you await their reply, let me offer some thoughts (as one who spends my day helping people with these matters).

FWIW, this situation is not new (nor quite as drastic as you may reasonably fear).

First, yes, the new jvm updates came out on Tuesday the 18th (and I blogged about them that day, to share that news for those who may follow/subscribe to carehart.org/blog. I also tweet news of my posts and share them on Facebook and Linkedin).

And second, yes, Adobe for some reason has nearly always dragged their feet in getting that latest Java update into that download page of theirs. I don't understand it, as the Java update dates are scheduled and quarterly (yes, even these "critical patch" updates as Oracle calls them). The next is Oct 17, as indicated here. 

Third (and as I note in my posts about them), one CAN just get the jvm from Oracle directly, for free. I've compared the binaries with what's posted on the Adobe site, and they're identical.

Fourth, as for "what jvm update" we should use with CF to be "most secure," what they clarify is that you should be on the latest update for the jvm version that your cf version supports. That apsb mention of that then points to the support matrix for each cf version, which indicates that (currently), cf2021 and cf2018 support only Java 11, while cf2023 alone supports only Java 17.

Finally, as for this latest Java update of this week, I'll note that the Oracle security bulletin for it indicates that each is "difficult to exploit", as in quoted also in my post. So despite the general warning that Adobe makes, it seems it may not be QUITE as urgent to be on that update as you are reading it to be.

Still, I get it: when it comes to security, some will WANT to be as secure as possible, while others will feel they MUST be. (And some want to hear only from the vendor, not anyone else.) 

So could Adobe make all this still more clear and explicit? I suppose so. They don't. 

And I'm replying here not to disagree with you, but to help you and others both now and for each subsequent update. It simply seems that our cries for improvement are not being heeded, despite asking again and again. And some Adobe folks cower behind "security being something they can't talk about", to just let these issues linger, it seems. It's really dismaying, but it is what it is.

So I post what I do (about each cf and Java update) to help, and to serve the community.. As the saying goes, it's better to light one candle than to curse the darkness.

I appreciate your question, and until they reply I hope this is helpful, sincerely. 

Correction to my post: 

Why has the Update 9 not been detected this morning.