RELEASED- ColdFusion 2021 and 2018 March 2023 Security Updates

Report · Mar 14, 2023

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In this release, we've addressed some security vulnerabilities and added the following jvm flags to that effect.

-Dcoldfusion.cfclient.enable=true/false
-Dcoldfusion.cfclient.allowNonCfc=true/false

For more information, see the tech notes below:

These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB23-25.

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

Report · Mar 28, 2023

Well, which "xml patch" are you referring to? That thread you pointed to discussed a problem one could have going to update 5, where certain xml errors could occur. And the accepted answer discussed a need to clear the cfclasses folder, to resolve a Java class problem due to Adobe changes regarding xml processing I update 5 (and u15 of cf2018).

That's what I meant WOULD need to be done for that problem if skipping update 5.

There is ALSO in the update's technote a JVM arg added for SOME xml processing that can break after update 5 (or 15). That TOO is still needed if you skip update 5 (or 15).

But I don't know what "patch" you may mean, if something else. Can you clarify?

/Charlie (troubleshooter, carehart.org)

Report · Mar 28, 2023

Sorry that is the patch according to the article I mentioned. We have some servers already on Update 5 with the XML patch and JVM argument set. If we apply Update 6 to these servers then would we need to re-apply the XML and JVM arg?

Report · Mar 30, 2023

Again, yes. More specifically, when a CF update has added a new jvm arg in the past (where the arg allows you to change some new default value which the new arg in that update is implementing), then that arg has continued to need to be added with all subsequent updates to that version. and sometimes even to new versions that come out, if you want to change that new arg to the non-default value.

/Charlie (troubleshooter, carehart.org)

Report · Apr 11, 2023

We installed CF 2021 Update 6 via offline steps. The install completed successful, CF services are running and we can login to CF Admin page. However, the version number in the Summary Information shows 2021,0,0,330132 not the correct 06 and gives the error when click on Package Manager page. All other pages on CF Admin are working. Anyone seeing the same or know how to resolve this?

Thanks!

Report · Apr 11, 2023

Tuan, you should always look at the update install log (whether an update seems to have "worked" or not). That log is created whether you run the installer manually as you did, or from the CF Admin.

I suspect you will find there was 1 or more "fatalerrors" or "nonfatalerrors". For more on finding the log, and finding that count of "successes" and errors, see a post I did. In it, I also address common causes and solutions to such errors.

You can try to report here what you may see (but I hope you'll try first to understand and resolve them before doing so, as it can be challenging resolving such problems in comment threads here). Certainly if you may see there are 0 fatal or nonfatal errors reported, that will be interesting to hear.

If there are in fact 0 errors reported (please don't presume that's the case, but check), I would recommend you look separately at the coldfusion-out.log and coldfusion-error.log files, watching specifically what they report during the startup of CF, to see if there are any errors at that time.

/Charlie (troubleshooter, carehart.org)

Report · May 13, 2023

GPA, it's not clear why you're wanting to reiterate the points you've made, but to be clear, the very first link in the post (and in the quote you offer) is in fact a page which lists ALL CF2021 updates, not just update 6.

Also the technotes for each update list the link for downloading the update itself, if that was another reason for your writing.

Like you (I sense), I'm just trying to help.

/Charlie (troubleshooter, carehart.org)

Adobe Community

RELEASED- ColdFusion 2021 and 2018 March 2023 Security Updates