• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

RELEASED- ColdFusion 2021 and 2018 March 2023 Security Updates

Adobe Employee ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

We are pleased to announce that we have released the updates for the following ColdFusion versions:

 

In this release, we've addressed some security vulnerabilities and added the following jvm flags to that effect.

  • -Dcoldfusion.cfclient.enable=true/false
  • -Dcoldfusion.cfclient.allowNonCfc=true/false

 

For more information, see the tech notes below:

 

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB23-25.

 

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

Views

5.9K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

To folks reading this: I will say that in my own opinion this security fix is far more important than the wording of this announcement above suggests and even than the update technotes would suggest. To be clear, I HAVE personally seen both the “ arbitrary code execution” and “arbitrary file system read” vulnerabilities having been perpetrated on multiple servers, and it IS grave (I am one of the folks listed on the APSB as having reported the issues).

 

I will have a blog post soon with more: not on how to perpetrate the hack, but what was possible, how to determine if someone may have performed it successfully on your server(s), and finally how folks on CF2016 and 11 can defend against it (as it affects them as well, but Adobe no longer offers updates for them. And of course, I always warn them also to get OFF those old unsupported versions.)

 

When I do offer that post (hopefully later today), I will add a link here.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Mar 16, 2023 Mar 16, 2023

Copy link to clipboard

Copied

Has anyone else run into PDF w/encryption bug that 500 errors with a "org/bouncycastle/asn1/DEREncodable" error in the log?  I updated from update 4 to update 6 and now any attempt to generate a PDF with encryption fails. 

This bug tracker matches the issue but the fix suggested by Brian B was not available as the value was not in my java.security file. https://tracker.adobe.com/#/view/CF-4216050
I have requested the patch file but have not heard back.  Any idea how long it should take to get a reply/patch link?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Mar 16, 2023 Mar 16, 2023

Copy link to clipboard

Copied

Oops... should have been a new post not a reply to Charlie.. Sorry!

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Mar 16, 2023 Mar 16, 2023

Copy link to clipboard

Copied

Patch was deliverd fast... about 1 hour and worked.  Thanks!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 18, 2023 May 18, 2023

Copy link to clipboard

Copied

LATEST

We got the hotfix also for the secure pdfs, but now the cfpdfform tag doesn't work. Trying to reopen my support case...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

After installing Update 6 on ColdFusion 2021 via the offline steps. I was prompted to with a message saying "The administrator module is not installed" and asking me to install the administrator package via the CLI package manager.

 

I never had this happen on the last 5 updates of CF 2021. Is this expected with this update?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

Further to this, when actually attempting to reinstall the administrator package I receive the following from the cfpm:

 

cfpm_output.jpg

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

your neo-updates xml suggests a local custom dependency json.. and the error suggests an error possibly parsing either the filepath or its contents.  

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

I was following the offline installation instructions and confirmed that the folder I provided did have all the appropriate files contained within the zip file that is available for download. The path I provided to the neo-updates.xml was using the exact same format as I used for Update 5, just in an Update_6 folder instead of an Update_5 folder.

 

One thing I did notice is that the zip package files had a different file structure:

 

Update 5 package

update_5_root_folder.jpg

 

Update 6 package

neochad_0-1678850226123.png

 

I had pulled the bundles directory out of the hotfix-packages-cf2021-006-330132 folder and used that when doing the update. Maybe it is expecting to maintain the hotfix-packages-cf2021-006-330132/bundles/* path?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

No, that's not a feature or bug unique to this update. It has happened to some people with past cf2021 updates. Are you saying you've done the other updates manually, the same way? If not, what's changed on your end? 

 

Look at the update log. Any errors? 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

I have done all my 2021 updates via the offline method, this is due to the server in question not being able to access the public internet. I saw nothing in the update logs that indicated a problem and the process I followed was the exact same as in past updates as outlined by Adobe. However, this is the first time that I have had the administrator interface break like that.

 

Even after uninstalling and rolling back updates to the neo_updates.xml file I was unable to get the administrator interface back and had to restore from snapshot.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 15, 2023 Mar 15, 2023

Copy link to clipboard

Copied

Neochad, in case you (or any future reader) may be following this threaded ui, you might not readily notice that Priyank offered this morning a reply for you in another thread here--with news of a NEW version of the update to address your issue.

 

Here's a direct link to his reply. Often the comments in reply to posts about cf updates can become numerous and hard to keep up with.

 

Finally, I will say again that I'd seen the problem you reported with past updates. So while the fix for this one has now been offered, there must have been some other (perhaps similar) issue with prior updates. Maybe they even slipped in a new version like they did this time. We'd not know unless a discussion indicated it, or one was comparing those md5 hashes like he mentioned in his reply here. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

The instructions state to:
- copy over "CF_SCRIPTS/scrips/ajax" scripts (if mapped)
- reinstall any custom hotfixes located in the folder /ColdFusion2021/cfusion/hf-updates/hf-2021-00006-330132/backup/lib/updates

We found a single file in the backup location.  Any idea what "chf20210005.jar" is for?  There's no metadata within the JAR file to explain it's purpose and a Google search isn't returning anything useful.  Is there any resource (official or unofficial) that identifies CF hotfixes?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

James, that's the update 5 jar. Do not recover that.

 

This wording by Adobe is simply sloppy. You should only recover jars that are a) not the chf jar like that and also b) for bug fixes not now included in the update, or other past updates. (The jars it's referring to would be any added manually in the past, when a bug had a fix that required installing that jar--BEFORE some later update included the fix.)

 

To be clear, none of this is new or unique to this update, nor even to cf2021. Hope that may help you and others. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

Thanks!

That's what I'd guess too. I haven't had to install many CF2021 hotfixes, so I wasn't sure.

I'm a little surprised that the instructions didn't consider that the last update would be in this directory, that no tech articles regarding the name of this JAR file exist (er, except for this post if it is indexed in the near future) and the JAR file contains no metadata to identify itself.  I use many 3rd-party JARs and most of them provide identifying data within the /META-INF/MANIFEST.MF file.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Mar 14, 2023 Mar 14, 2023

Copy link to clipboard

Copied

That is your update 5 jar. The instruction mentions "custom" meaning anything you may have manually placed.. and hence are liable to remember.

WRT to the aforementioned jar, a simple check in the similar folders for older updates would indicate the same pattern repeated. Every update backs up the content it replaces.  

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Mar 15, 2023 Mar 15, 2023

Copy link to clipboard

Copied

Hi All,

 

we figured out a problem with bundlesdependecy.json file which I have corrected and upload the package again. Here is the latest checksum - 6c918247c08b4d9fe5e8f2fdd4f8487e

https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/packages/hotfix-packages-cf2021-006-330132.zi... 

Please roll back the update and then try with this package in your offline server, 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Mar 15, 2023 Mar 15, 2023

Copy link to clipboard

Copied

I can confirm that the new offline package successfully updates and the administrator interface is maintained after the update.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 15, 2023 Mar 15, 2023

Copy link to clipboard

Copied

Good to hear it solved things for you, Neochad. But on a related note...

 

I helped someone today who had had a similar challenge running that manual update for CF2021 update 6, from last night. They found the new update from this morning did fix most problems--but he still found the CF Admin not working. Some may have seen that, where it redirects to a page called /CFIDE/adminnotinstalled.cfm. Of course, after re-running the update or correcting any problems, do be sure to change that back the normal /CFIDE/administrator/index.cfm and try again. We did, and it still failed. More than that, we confirmed in the coldfusion-out.log that during startup the admin package (alone) was not installed.

 

So we just had him go to the cfusion/bin and (as admin) ran "cfpm install administrator", then it worked: he could get to the admin, again after changing the failed admin URL, /CFIDE/adminnotinstalled.cfm, to instead /CFIDE/administrator/index.cfm. So easy to forget that!

 

FWIW, I've done other installs of the update from within the CF2021 admin and did NOT have this problem. It seems some facet of the manual install. Neochad didn't hit it, which is great to hear. But since someone else did, I wanted to share this for those folks.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 17, 2023 Mar 17, 2023

Copy link to clipboard

Copied

I've finally gotten done the blog post I had planned on this update and the vuln/hack, including what could happen, what to do about it, and lots more.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 20, 2023 Mar 20, 2023

Copy link to clipboard

Copied

Has anyone else still has issue with cf-logging.jar.  I am on Coldfusion 2018 and have applied all updates up to the the latest release Update 16.  The tenable scanner still flagging cf-logging.jar as vulnerable - are there any solution for this?

 

Many thanks   

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 28, 2023 Mar 28, 2023

Copy link to clipboard

Copied

Do I still need to apply this after updating from ColdFusion 2021 Update 4 to Update 6?

Solved: Coldfusion 2021 Update 5 breaks xml - Adobe Support Community - 13265555

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 28, 2023 Mar 28, 2023

Copy link to clipboard

Copied

Yes. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 28, 2023 Mar 28, 2023

Copy link to clipboard

Copied

Thank you Charlie. Do you also know if we have already applied Update 5 along with the xml patch if we need to re-apply that patch after upgrading to Update 6?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation