Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
March 14, 2023
Question

RELEASED- ColdFusion 2021 and 2018 March 2023 Security Updates

  • March 14, 2023
  • 8 replies
  • 7270 views

We are pleased to announce that we have released the updates for the following ColdFusion versions:

 

In this release, we've addressed some security vulnerabilities and added the following jvm flags to that effect.

  • -Dcoldfusion.cfclient.enable=true/false
  • -Dcoldfusion.cfclient.allowNonCfc=true/false

 

For more information, see the tech notes below:

 

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB23-25.

 

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

    This topic has been closed for replies.

    8 replies

    Charlie Arehart
    Charlie Arehart
    Community Expert
    May 13, 2023

    GPA, it's not clear why you're wanting to reiterate the points you've made, but to be clear, the very first link in the post (and in the quote you offer) is in fact a page which lists ALL CF2021 updates, not just update 6.

     

    Also the technotes for each update list the link for downloading the update itself, if that was another reason for your writing. 

     

    Like you (I sense), I'm just trying to help. 

    /Charlie (troubleshooter, carehart. org)
    T
    Tuan22503711ovrj
    New Participant
    April 11, 2023

    We installed CF 2021 Update 6 via offline steps. The install completed successful, CF services are running and we can login to CF Admin page. However, the version number in the Summary Information shows 2021,0,0,330132 not the correct 06 and gives the error when click on Package Manager page. All other pages on CF Admin are working. Anyone seeing the same or know how to resolve this?

     

    Thanks!

     

    Charlie Arehart
    Charlie Arehart
    Community Expert
    April 11, 2023

    Tuan, you should always look at the update install log (whether an update seems to have "worked" or not). That log is created whether you run the installer manually as you did, or from the CF Admin.

     

    I suspect you will find there was 1 or more  "fatalerrors" or "nonfatalerrors". For more on finding the log, and finding that count of "successes" and errors, see a post I did. In it, I also address common causes and solutions to such errors.

     

    You can try to report here what you may see (but I hope you'll try first to understand and resolve them before doing so, as it can be challenging resolving such problems in comment threads here). Certainly if you may see there are 0 fatal or nonfatal errors reported, that will be interesting to hear.

     

    If there are in fact 0 errors reported (please don't presume that's the case, but check), I would recommend you look separately at the coldfusion-out.log and coldfusion-error.log files, watching specifically what they report during the startup of CF, to see if there are any errors at that time. 

    /Charlie (troubleshooter, carehart. org)
    M
    mikeb94432771
    New Participant
    March 28, 2023

    Do I still need to apply this after updating from ColdFusion 2021 Update 4 to Update 6?

    Solved: Coldfusion 2021 Update 5 breaks xml - Adobe Support Community - 13265555

    Charlie Arehart
    Charlie Arehart
    Community Expert
    March 28, 2023

    Yes. 

    /Charlie (troubleshooter, carehart. org)
    M
    mikeb94432771
    New Participant
    March 28, 2023

    Thank you Charlie. Do you also know if we have already applied Update 5 along with the xml patch if we need to re-apply that patch after upgrading to Update 6?

    D
    David28888289ej2h
    New Participant
    March 20, 2023

    Has anyone else still has issue with cf-logging.jar.  I am on Coldfusion 2018 and have applied all updates up to the the latest release Update 16.  The tenable scanner still flagging cf-logging.jar as vulnerable - are there any solution for this?

     

    Many thanks   

    Charlie Arehart
    Charlie Arehart
    Community Expert
    March 17, 2023

    I've finally gotten done the blog post I had planned on this update and the vuln/hack, including what could happen, what to do about it, and lots more.

    /Charlie (troubleshooter, carehart. org)
      James Moberg
      James Moberg
      Inspiring
      March 15, 2023

      The instructions state to:
      - copy over "CF_SCRIPTS/scrips/ajax" scripts (if mapped)
      - reinstall any custom hotfixes located in the folder /ColdFusion2021/cfusion/hf-updates/hf-2021-00006-330132/backup/lib/updates

      We found a single file in the backup location.  Any idea what "chf20210005.jar" is for?  There's no metadata within the JAR file to explain it's purpose and a Google search isn't returning anything useful.  Is there any resource (official or unofficial) that identifies CF hotfixes?

      Charlie Arehart
      Charlie Arehart
      Community Expert
      March 15, 2023

      James, that's the update 5 jar. Do not recover that.

       

      This wording by Adobe is simply sloppy. You should only recover jars that are a) not the chf jar like that and also b) for bug fixes not now included in the update, or other past updates. (The jars it's referring to would be any added manually in the past, when a bug had a fix that required installing that jar--BEFORE some later update included the fix.)

       

      To be clear, none of this is new or unique to this update, nor even to cf2021. Hope that may help you and others. 

      /Charlie (troubleshooter, carehart. org)
      James Moberg
      James Moberg
      Inspiring
      March 15, 2023

      Thanks!

      That's what I'd guess too. I haven't had to install many CF2021 hotfixes, so I wasn't sure.

      I'm a little surprised that the instructions didn't consider that the last update would be in this directory, that no tech articles regarding the name of this JAR file exist (er, except for this post if it is indexed in the near future) and the JAR file contains no metadata to identify itself.  I use many 3rd-party JARs and most of them provide identifying data within the /META-INF/MANIFEST.MF file.

      N
      neochad
      Inspiring
      March 15, 2023

      After installing Update 6 on ColdFusion 2021 via the offline steps. I was prompted to with a message saying "The administrator module is not installed" and asking me to install the administrator package via the CLI package manager.

       

      I never had this happen on the last 5 updates of CF 2021. Is this expected with this update?

      N
      neochad
      Inspiring
      March 15, 2023

      Further to this, when actually attempting to reinstall the administrator package I receive the following from the cfpm:

       

      P
      Adobe Employee
      PiyushN
      Adobe Employee
      March 15, 2023

      your neo-updates xml suggests a local custom dependency json.. and the error suggests an error possibly parsing either the filepath or its contents.  

      Charlie Arehart
      Charlie Arehart
      Community Expert
      March 14, 2023

      To folks reading this: I will say that in my own opinion this security fix is far more important than the wording of this announcement above suggests and even than the update technotes would suggest. To be clear, I HAVE personally seen both the “ arbitrary code execution” and “arbitrary file system read” vulnerabilities having been perpetrated on multiple servers, and it IS grave (I am one of the folks listed on the APSB as having reported the issues).

       

      I will have a blog post soon with more: not on how to perpetrate the hack, but what was possible, how to determine if someone may have performed it successfully on your server(s), and finally how folks on CF2016 and 11 can defend against it (as it affects them as well, but Adobe no longer offers updates for them. And of course, I always warn them also to get OFF those old unsupported versions.)

       

      When I do offer that post (hopefully later today), I will add a link here.

      /Charlie (troubleshooter, carehart. org)
        C
        CCandHatingITOMG
        New Participant
        March 16, 2023

        Has anyone else run into PDF w/encryption bug that 500 errors with a "org/bouncycastle/asn1/DEREncodable" error in the log?  I updated from update 4 to update 6 and now any attempt to generate a PDF with encryption fails. 

        This bug tracker matches the issue but the fix suggested by Brian B was not available as the value was not in my java.security file. https://tracker.adobe.com/#/view/CF-4216050
        I have requested the patch file but have not heard back.  Any idea how long it should take to get a reply/patch link?

        C
        CCandHatingITOMG
        New Participant
        March 16, 2023

        Oops... should have been a new post not a reply to Charlie.. Sorry!

         

        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices