• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
3

[RELEASED] ColdFusion 2018/2021/2023 July 19 Security Updates

Adobe Employee ,
Jul 19, 2023 Jul 19, 2023

Copy link to clipboard

Copied

We are pleased to announce that we have released the updates for the following ColdFusion versions:
In these updates, we’ve fixed a few critical security bugs mentioned in the security bulletin, APSB23-47.
For more information, see the tech notes below:
Please update your ColdFusion versions and provide us with your valuable feedback.

Views

702

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 19, 2023 Jul 19, 2023

Copy link to clipboard

Copied

Can we get the exact time today that this new patch was released please?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 19, 2023 Jul 19, 2023

Copy link to clipboard

Copied

That's a curious question, which I've honestly never seen asked. In case they're slow (or may opt not) to reply, can you elaborate on your motivation? Are you assessing the timing relative to some other resource? Or relative to a vuln you found? I realize you may prefer NOT to say why you ask, but perhaps you won't mind, and it is something curious. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 19, 2023 Jul 19, 2023

Copy link to clipboard

Copied

I was trying to establish an timeline of how long after the update was released I had installed it.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Jul 19, 2023 Jul 19, 2023

Copy link to clipboard

Copied

FWIW, I got an email notification from the Adobe security mailing list at 1:47 PM ET today (July 19)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 19, 2023 Jul 19, 2023

Copy link to clipboard

Copied

Ok, as if perhaps someone on your end is judging how quickly (or slowly) you applied the update. Wow, tough taskmasters. We'll see what Adobe may say.

 

As for being notified asap, not that there are a couple ways to at least know as soon as reasonably possible. (I've been writing a post on this, but being interrupted by these and the Java update yesterday).

 

So first, note that the Adobe security team offers a page to signup and get notified by email. That's at https://www.adobe.com/subscription/adbeSecurityNotifications.html

 

And FWIW, I got my email from them today at 147p us eastern.

 

The other way is to configure the cf admin updates page, and its "settings" tab, where you can enter the mail server and email address info. But that is not likely as timely, because it runs from within cf.. I'm not sure what triggers it checking. It may be upon cf restart or someone logging into the cf admin.

 

Again, I planned to find such details before I'd post on this matter. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 19, 2023 Jul 19, 2023

Copy link to clipboard

Copied

Fwiw, Paul's reply shows having arrived 47 seconds before mine. That's what I get for offering more than just the one answer for a question asked. 🙂 As always, just trying to help. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 25, 2023 Jul 25, 2023

Copy link to clipboard

Copied

Has anyone else had issue running Java 11.0.20 with ColdFusion2018/2021. 

The appplication functions but when I try to download Adobe Hotfix updates I get

Error occurred while installing the update:
Failed Signature verification

 When manually download the hotfix and try to apply it via command line I get this 

ColdFusion2018\cfusion\hf-updates>java -jar hotfix-017-330143.jar
Error: An unexpected error occurred while trying to open file hotfix-017-330143.jar

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 26, 2023 Jul 26, 2023

Copy link to clipboard

Copied

LATEST

Thanks Charlie your post explaining how to use command line install of the CF update, adding that new arg (like I'd added to CF's JVM args), before the -jar arg pointing to the update jar. worked.

 

An example of doing that, for CF2021 update 9 (Windows users should be sure to use "run as admin" in opening the command line):

 

java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix-009-330148.jar

Sure enough, it worked, allowing the update to run. (If you may never have yet run the CF update jar this way, it presents a series of a couple of screen walking one through the CF update process.)

 

ref: Beware you can't download or install CF updates via the CF Admin after Jul 2023 JVM update - Charlie...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 20, 2023 Jul 20, 2023

Copy link to clipboard

Copied

Adobe should urgently clarify which Java versions are secure and which are not (for CF 2018, 2021, and 2023).

 

The website https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html#downloads3 lists 17.0.7 and 11.0.19 as the latest versions. However, 17.0.8 and 11.0.20 have already been released.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 20, 2023 Jul 20, 2023

Copy link to clipboard

Copied

Marv, while you await their reply, let me offer some thoughts (as one who spends my day helping people with these matters).

 

FWIW, this situation is not new (nor quite as drastic as you may reasonably fear).

 

First, yes, the new jvm updates came out on Tuesday the 18th (and I blogged about them that day, to share that news for those who may follow/subscribe to carehart.org/blog. I also tweet news of my posts and share them on Facebook and Linkedin).

 

And second, yes, Adobe for some reason has nearly always dragged their feet in getting that latest Java update into that download page of theirs. I don't understand it, as the Java update dates are scheduled and quarterly (yes, even these "critical patch" updates as Oracle calls them). The next is Oct 17, as indicated here

 

Third (and as I note in my posts about them), one CAN just get the jvm from Oracle directly, for free. I've compared the binaries with what's posted on the Adobe site, and they're identical.

 

Fourth, as for "what jvm update" we should use with CF to be "most secure," what they clarify is that you should be on the latest update for the jvm version that your cf version supports. That apsb mention of that then points to the support matrix for each cf version, which indicates that (currently), cf2021 and cf2018 support only Java 11, while cf2023 alone supports only Java 17.

 

Finally, as for this latest Java update of this week, I'll note that the Oracle security bulletin for it indicates that each is "difficult to exploit", as in quoted also in my post. So despite the general warning that Adobe makes, it seems it may not be QUITE as urgent to be on that update as you are reading it to be.

 

Still, I get it: when it comes to security, some will WANT to be as secure as possible, while others will feel they MUST be. (And some want to hear only from the vendor, not anyone else.) 

 

So could Adobe make all this still more clear and explicit? I suppose so. They don't. 

 

And I'm replying here not to disagree with you, but to help you and others both now and for each subsequent update. It simply seems that our cries for improvement are not being heeded, despite asking again and again. And some Adobe folks cower behind "security being something they can't talk about", to just let these issues linger, it seems. It's really dismaying, but it is what it is.

 

So I post what I do (about each cf and Java update) to help, and to serve the community.. As the saying goes, it's better to light one candle than to curse the darkness.

 

I appreciate your question, and until they reply I hope this is helpful, sincerely. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 20, 2023 Jul 20, 2023

Copy link to clipboard

Copied

Question: ColdFusion 2021 Update 8 was detected 7/18/23. Why has the Update 8 not been detected this morning. How soon can it be available for detection? Thanks.

I use this way in my ColdFusion Administrator: In Package Manager > Packages, click Check for Updates in Core Server.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 20, 2023 Jul 20, 2023

Copy link to clipboard

Copied

Correction to my post: 

Why has the Update 9 not been detected this morning.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation