Copy link to clipboard
Copied
We are pleased to announce that we have released the updates for the following ColdFusion versions:
In this release, we've addressed some security vulnerabilities and added the following jvm flags to that effect.
For more information, see the tech notes below:
These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB23-25.
The Docker images will be hosted shortly on Docker Hub.
Please update your ColdFusion versions and provide us your valuable feedback.
Copy link to clipboard
Copied
To folks reading this: I will say that in my own opinion this security fix is far more important than the wording of this announcement above suggests and even than the update technotes would suggest. To be clear, I HAVE personally seen both the “ arbitrary code execution” and “arbitrary file system read” vulnerabilities having been perpetrated on multiple servers, and it IS grave (I am one of the folks listed on the APSB as having reported the issues).
I will have a blog post soon with more: not on how to perpetrate the hack, but what was possible, how to determine if someone may have performed it successfully on your server(s), and finally how folks on CF2016 and 11 can defend against it (as it affects them as well, but Adobe no longer offers updates for them. And of course, I always warn them also to get OFF those old unsupported versions.)
When I do offer that post (hopefully later today), I will add a link here.
Copy link to clipboard
Copied
Has anyone else run into PDF w/encryption bug that 500 errors with a "org/bouncycastle/asn1/DEREncodable" error in the log? I updated from update 4 to update 6 and now any attempt to generate a PDF with encryption fails.
This bug tracker matches the issue but the fix suggested by Brian B was not available as the value was not in my java.security file. https://tracker.adobe.com/#/view/CF-4216050
I have requested the patch file but have not heard back. Any idea how long it should take to get a reply/patch link?
Copy link to clipboard
Copied
Oops... should have been a new post not a reply to Charlie.. Sorry!
Copy link to clipboard
Copied
Patch was deliverd fast... about 1 hour and worked. Thanks!
Copy link to clipboard
Copied
We got the hotfix also for the secure pdfs, but now the cfpdfform tag doesn't work. Trying to reopen my support case...
Copy link to clipboard
Copied
After installing Update 6 on ColdFusion 2021 via the offline steps. I was prompted to with a message saying "The administrator module is not installed" and asking me to install the administrator package via the CLI package manager.
I never had this happen on the last 5 updates of CF 2021. Is this expected with this update?
Copy link to clipboard
Copied
Further to this, when actually attempting to reinstall the administrator package I receive the following from the cfpm:
Copy link to clipboard
Copied
your neo-updates xml suggests a local custom dependency json.. and the error suggests an error possibly parsing either the filepath or its contents.
Copy link to clipboard
Copied
I was following the offline installation instructions and confirmed that the folder I provided did have all the appropriate files contained within the zip file that is available for download. The path I provided to the neo-updates.xml was using the exact same format as I used for Update 5, just in an Update_6 folder instead of an Update_5 folder.
One thing I did notice is that the zip package files had a different file structure:
Update 5 package
Update 6 package
I had pulled the bundles directory out of the hotfix-packages-cf2021-006-330132 folder and used that when doing the update. Maybe it is expecting to maintain the hotfix-packages-cf2021-006-330132/bundles/* path?
Copy link to clipboard
Copied
No, that's not a feature or bug unique to this update. It has happened to some people with past cf2021 updates. Are you saying you've done the other updates manually, the same way? If not, what's changed on your end?
Look at the update log. Any errors?
Copy link to clipboard
Copied
I have done all my 2021 updates via the offline method, this is due to the server in question not being able to access the public internet. I saw nothing in the update logs that indicated a problem and the process I followed was the exact same as in past updates as outlined by Adobe. However, this is the first time that I have had the administrator interface break like that.
Even after uninstalling and rolling back updates to the neo_updates.xml file I was unable to get the administrator interface back and had to restore from snapshot.
Copy link to clipboard
Copied
Neochad, in case you (or any future reader) may be following this threaded ui, you might not readily notice that Priyank offered this morning a reply for you in another thread here--with news of a NEW version of the update to address your issue.
Here's a direct link to his reply. Often the comments in reply to posts about cf updates can become numerous and hard to keep up with.
Finally, I will say again that I'd seen the problem you reported with past updates. So while the fix for this one has now been offered, there must have been some other (perhaps similar) issue with prior updates. Maybe they even slipped in a new version like they did this time. We'd not know unless a discussion indicated it, or one was comparing those md5 hashes like he mentioned in his reply here.
Copy link to clipboard
Copied
The instructions state to:
- copy over "CF_SCRIPTS/scrips/ajax" scripts (if mapped)
- reinstall any custom hotfixes located in the folder /ColdFusion2021/cfusion/hf-updates/hf-2021-00006-330132/backup/lib/updates
We found a single file in the backup location. Any idea what "chf20210005.jar" is for? There's no metadata within the JAR file to explain it's purpose and a Google search isn't returning anything useful. Is there any resource (official or unofficial) that identifies CF hotfixes?
Copy link to clipboard
Copied
James, that's the update 5 jar. Do not recover that.
This wording by Adobe is simply sloppy. You should only recover jars that are a) not the chf jar like that and also b) for bug fixes not now included in the update, or other past updates. (The jars it's referring to would be any added manually in the past, when a bug had a fix that required installing that jar--BEFORE some later update included the fix.)
To be clear, none of this is new or unique to this update, nor even to cf2021. Hope that may help you and others.
Copy link to clipboard
Copied
Thanks!
That's what I'd guess too. I haven't had to install many CF2021 hotfixes, so I wasn't sure.
I'm a little surprised that the instructions didn't consider that the last update would be in this directory, that no tech articles regarding the name of this JAR file exist (er, except for this post if it is indexed in the near future) and the JAR file contains no metadata to identify itself. I use many 3rd-party JARs and most of them provide identifying data within the /META-INF/MANIFEST.MF file.
Copy link to clipboard
Copied
That is your update 5 jar. The instruction mentions "custom" meaning anything you may have manually placed.. and hence are liable to remember.
WRT to the aforementioned jar, a simple check in the similar folders for older updates would indicate the same pattern repeated. Every update backs up the content it replaces.
Copy link to clipboard
Copied
Hi All,
we figured out a problem with bundlesdependecy.json file which I have corrected and upload the package again. Here is the latest checksum - 6c918247c08b4d9fe5e8f2fdd4f8487e
Please roll back the update and then try with this package in your offline server,
Copy link to clipboard
Copied
I can confirm that the new offline package successfully updates and the administrator interface is maintained after the update.
Copy link to clipboard
Copied
Good to hear it solved things for you, Neochad. But on a related note...
I helped someone today who had had a similar challenge running that manual update for CF2021 update 6, from last night. They found the new update from this morning did fix most problems--but he still found the CF Admin not working. Some may have seen that, where it redirects to a page called /CFIDE/adminnotinstalled.cfm. Of course, after re-running the update or correcting any problems, do be sure to change that back the normal /CFIDE/administrator/index.cfm and try again. We did, and it still failed. More than that, we confirmed in the coldfusion-out.log that during startup the admin package (alone) was not installed.
So we just had him go to the cfusion/bin and (as admin) ran "cfpm install administrator", then it worked: he could get to the admin, again after changing the failed admin URL, /CFIDE/adminnotinstalled.cfm, to instead /CFIDE/administrator/index.cfm. So easy to forget that!
FWIW, I've done other installs of the update from within the CF2021 admin and did NOT have this problem. It seems some facet of the manual install. Neochad didn't hit it, which is great to hear. But since someone else did, I wanted to share this for those folks.
Copy link to clipboard
Copied
I've finally gotten done the blog post I had planned on this update and the vuln/hack, including what could happen, what to do about it, and lots more.
Copy link to clipboard
Copied
Has anyone else still has issue with cf-logging.jar. I am on Coldfusion 2018 and have applied all updates up to the the latest release Update 16. The tenable scanner still flagging cf-logging.jar as vulnerable - are there any solution for this?
Many thanks
Copy link to clipboard
Copied
Do I still need to apply this after updating from ColdFusion 2021 Update 4 to Update 6?
Solved: Coldfusion 2021 Update 5 breaks xml - Adobe Support Community - 13265555
Copy link to clipboard
Copied
Yes.
Copy link to clipboard
Copied
Thank you Charlie. Do you also know if we have already applied Update 5 along with the xml patch if we need to re-apply that patch after upgrading to Update 6?