UPDATE 10/19/2022: Added information about refreshed installers. Thank you @Charlie Arehart for this. We are pleased to announce that we have released the updates for the following ColdFusion versions: ColdFusion (2021 release) Update 5 ColdFusion (2018 release) Update 15 In these updates, we’ve fixed a few security and feature-specific bugs, along with other libraries. We’ve also introduced support for M1 macOS. We've also refreshed ColdFusion 2021 installers. You can find the refreshed installers on the ColdFusion downloads page. For more information, see the tech notes below: ColdFusion (2021 release) Update 5 ColdFusion (2018 release) Update 15 NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes for ColdFusion 2021 Update 4 are located in the folder, /ColdFusion2021/cfusion/hf-updates/hf-2021-00005-330109/backup/lib/updates. These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB22-44. The Docker images will be hosted shortly on Docker Hub. Please update your ColdFusion versions and provide us your valuable feedback.

S

Saurav_Ghosh

Community Manager

Question

RELEASED- ColdFusion 2021 and 2018 October Security Updates

Forum|Forum|3 years ago
October 11, 2022
8 replies
6626 views

UPDATE 10/19/2022: Added information about refreshed installers. Thank you @Charlie Arehart for this.

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In these updates, we’ve fixed a few security and feature-specific bugs, along with other libraries. We’ve also introduced support for M1 macOS.

We've also refreshed ColdFusion 2021 installers. You can find the refreshed installers on the ColdFusion downloads page.

For more information, see the tech notes below:

NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes for ColdFusion 2021 Update 4 are located in the folder, /ColdFusion2021/cfusion/hf-updates/hf-2021-00005-330109/backup/lib/updates.

These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB22-44.

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

This topic has been closed for replies.

Brian__

Participating Frequently

I haven't seen all of the XML-related secuirty updates and new options that are available to ColdFusion functions after APSB22-44 pulled together and documented anywhere, so I wound up do just that in a blog post -- https://hoyahaxa.blogspot.com/2022/11/on-coldfusion-xxe-and-other-xml-attacks.html

You can now add protection against XXE (XML eXternal Enities) attacks in xmlSearch() and xmlTransform() in ACF, but need to do so with a minor code change. isXML() and xmlParse() already supported this, but not all of the Adobe function documentation has been updated yet.

With some details on XSLT/xmlTransform() errors and Lucee info too!

B

Benjamin5E81

Known Participant

I will be honest. Never had more issues with these updates. CF2021 feels like its a beta or even alpha build and we are paying to be the testers.

M

mpinets

Participant

Is there a work-around to re-enable View/Download/Delete log files in the Administrator/Console? Being able to view application errors in the Console/Administrator made troubleshooting easier.

Charlie Arehart

Community Expert

Mpinets, you'd asked in Oct here about the removal of the log viewer in the admin. I don't see any reply, but in an point you to another thread which came up here a few days later, and I'd seen and responded to that with a discussion and solution to consider:

https://community.adobe.com/t5/coldfusion-discussions/log-files-page-in-coldfusion-administrator/m-p/13319752#M193683

/Charlie (troubleshooter, carehart. org)

E

ej401

Inspiring

Regarding 2021,0,05,330109 again and the issue with XmlTransform:

"Unable to process the XML string as it could probably contain file paths.", which is a result of this change in update 5:

"If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same."

I have seen this issue mentioned here and here, but the only solution provided is to add an argument to a config file to solve it. Unfortunately, this is not acceptable, as the underlying security bulletin points to this vulnerability and the IT staff at my organization will not accept the workaround because of the security implications.

Separately, I have been trying to figure out what is wrong with our code that would return this error and I honestly think it is a false positive. For instance, if I reduce the code down to the simplest possible form, the error still occurs - i.e.:

XMLTransform("<record></record>", "<xsl:stylesheet xmlns:xsl=""mynamespace""></xsl:stylesheet>")

Note that I even removed the xsl namespace declaration and, also, tried it with objects returned from CFXML - the error persists. Is the update possibly interpretting the / in the tags themselves as malicious?

Please advise.

Thanks,

Eric Johnson

E

ej401

Inspiring

Actually, I think that this was the vulnerability I meant to post. Or, is it both CWE-22 AND CWE-611? Unsure - but either way, we want to make an effort to be safe in regards to both.

Brian__

Participating Frequently

Hi Eric,

I'm the external person who reported this vulnerability to Adobe and can provide a little more information.

I believe this item ("Unable to process the XML string as it could probably contain file paths") is being tracked as CVE-2022-42340. (They're both similar, but the other one -- CVE-2022-42341 -- is a straightforward lack of protection for XXE. I may blog more about that one in the future.)

As far as I'm aware, CVE-2022-42340 is limited to an XLST injection against XMLTransform(). You are correct that the current patch appears to break/return that error for / or \ characters anywhere in an XSL stylesheet, including your example of the closing </xsl:stylesheet> tag. I've brought this to Adobe's attention and mentioned it here: https://twitter.com/hoyahaxa/status/1581261198187958272

I don't want to speak or provide guidance in terms of absolute security, but if your application calls to XMLTransform() are not consuming XSL stylesheets that can be provided by/controlled by the user or other untrusted sources, exploitation of this vulnerability may be unlikely or impractical.

And it goes without saying that any additional context, insights, or support from Adobe on this supersedes the above. 🙂

Brian

E

ej401

Inspiring

New error with XmlSearch after installing 2021,0,05,330109 :

coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; null

Example of code that generates error:

Thanks,

-Eric Johnson

S

Saurav_Ghosh

Author

Community Manager

Hi @ej401 Please clear the classes in <CF_HOME>/instance/wwwroot/WEB-INF/cfclasses.

E

ej401

Inspiring

Thanks @Saurav_Ghosh - when combined with a restart of the CF services, this appears to have corrected the issue.

-Eric Johnson

B

Bog26569200bq6u

Participating Frequently

Cf application service not starting up after update on two different windows servers. Just sits on "starting" and times out after 240 second timeout.

Service starts ok after uninstalling the update (running update 4)

Charlie Arehart

Community Expert

Fwiw, I've installed this latest update to both 2018 and 2021 on multiple machines (from different previous update versions) without incident, so I'd say there's not some generic problem with them.

But as for your problem, which I know is real and dismaying for you, here's some potentially good news: the update install (and uninstall) process has a log. And that log should help understand if anything is amiss with the installing of the update.

I have a blog post with more detail on finding the update log, finding the key info IN the update log, and some suggestions of common problems and solutions. See:

https://www.carehart.org/blog/2016/9/6/solve_common_problems_with_CF_updates_in_10_and_above

Let us know if that may help, and if not, what errors (if any) are reported there? Also:

Are you on cf2021 or 2018?
What update did you have implemented before this one?
What OS is this? Ah, right, you said windows.
If you go to the command line (as admin on windows), and cd to cf's cfusion/bin folder, then type cfstart (as sudo if on linux/macos), what is reported about the startup there?
If running cf on windows, is the cf service running as local system or some user created to run cf?
Had you applied the cf autolockdown tool? Or had you done any lockdown steps previously, for this cf instance?

I realize you hoped for answers rather than questions. Unless someone has those based on solely what you have shared, I hope these answers may help me or others get you working again.

/Charlie (troubleshooter, carehart. org)

B

Bog26569200bq6u

Participating Frequently

Hi Charlie, thank you for the reply. I wouldnt call it dismaying, just.... puzzling... I've been installing patching CF since 9 and I can count on one hand how many times an update has failed, certainly never on 2 servers.

There is no mention of any error or failure in the update install log.

To answer your questions:

1) CF2021

2) Update 4

3) windows server 2019

4) i have not tried this, I will as soon as I get a chance

5) cf service runs as its own user with all the required permissions

6) yes, lockdown steps were applied.

P

petera43968492

Participating Frequently

Thank you for fixing the QOQ issues. If this tests out, I may be able to use CF2021 in production.

Charlie Arehart

Community Expert

Petera, FWIW, note that you should have been able to solve the q of q problems (in prod) BEFORE the update, using the fix jar mentioned in comments above. Bummer if folks may have felt held back until now. Of course, it can be hard for folks to keep up with all the info shared by Adobe and in the community.

Hope the update works well for you.

/Charlie (troubleshooter, carehart. org)

P

petera43968492

Participating Frequently

Charlie,

This release fixed 3 other QOQ bugs returning null pointers beyond the first one fixed in the hf201800-4212383.jar.

CF-4212384	In Update 2 of ColdFusion 2021, when including an ORDER BY clause in a QoQ and the column is referenced by an integer, a NullPointerException occurs.	Database
CF-4212383	After applying ColdFusion 2021 Update 2, when using an ORDER BY clause in a QoQ, the fields in the ORDER BY clause becomes case sensitive, and a duplicate column gets added in the result.	Database
CF-4212380	A QoQ containing the Union and Order by clauses throws an error, getColumnType() Null.	Database

jeffh65754959

Inspiring

Looking at the fixes included in this CF 2018 update, it appears that the hf201800-4212383.jar for QofQ fixes is possibly no longer needed. Is that correct?