• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
1

RELEASED- ColdFusion 2021 and 2018 October Security Updates

Adobe Employee ,
Oct 11, 2022 Oct 11, 2022

Copy link to clipboard

Copied

UPDATE 10/19/2022: Added information about refreshed installers. Thank you @Charlie Arehart for this.

 

We are pleased to announce that we have released the updates for the following ColdFusion versions:

 

In these updates, we’ve fixed a few security and feature-specific bugs, along with other libraries. We’ve also introduced support for M1 macOS.

 

We've also refreshed ColdFusion 2021 installers. You can find the refreshed installers on the ColdFusion downloads page.

 

For more information, see the tech notes below:

 

NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes for ColdFusion 2021 Update 4 are located in the folder, /ColdFusion2021/cfusion/hf-updates/hf-2021-00005-330109/backup/lib/updates.

 

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB22-44.

 

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

TOPICS
Getting started , Security

Views

4.3K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 11, 2022 Oct 11, 2022

Copy link to clipboard

Copied

Looking at the fixes included in this CF 2018 update, it appears that the hf201800-4212383.jar for QofQ fixes is possibly no longer needed.  Is that correct?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 11, 2022 Oct 11, 2022

Copy link to clipboard

Copied

Hi @jeffh65754959 


You are right that is no longer needed. Simple install the update and it will take care of QoQ fix. 

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

Thank you Adobe for finally putting in several hotfixes in this update!!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

Thank you, @marktb

Let us know your feedback.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

Thank you for fixing the QOQ issues. If this tests out, I may be able to use CF2021 in production.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

Petera, FWIW, note that you should have been able to solve the q of q problems (in prod) BEFORE the update, using the fix jar mentioned in comments above. Bummer if folks may have felt held back until now. Of course, it can be hard for folks to keep up with all the info shared by Adobe and in the community.

 

Hope the update works well for you. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Charlie,

This release fixed 3 other QOQ bugs returning null pointers beyond the first one fixed in the hf201800-4212383.jar.

CF-4212384In Update 2 of ColdFusion 2021, when including an ORDER BY clause in a QoQ and the column is referenced by an integer, a NullPointerException occurs.Database
CF-4212383After applying ColdFusion 2021 Update 2, when using an ORDER BY clause in a QoQ, the fields in the ORDER BY clause becomes case sensitive, and a duplicate column gets added in the result.Database
CF-4212380A QoQ containing the Union and Order by clauses throws an error, getColumnType() Null.Database

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Yes, but in my experience the past year, oniy the one jar was needed to fix them. Even if more than one may have been needed, my point was simply that one wouldn't have needed to wait for this update to get the fix to any bug--if indeed Adobe offered a fix jar for it.

 

If you're feeling that somehow your qofq bug was not fixed by any that was offered, I will understand your relief with this one. I just wasn't aware of any qofq bugs that were NOT fixed by that or other jars, made available several months ago. 

 

Still, I am of course very glad that they've finally rolled them into one update, for the sake of those who either didn't know of them or were hassled trying to implement them. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

You are right Charlie, we merged all these fixes in one jar and shared them with users. 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

Cf application service not starting up after update on two different windows servers. Just sits on "starting" and times out after 240 second timeout.

Service starts ok after uninstalling the update (running update 4)

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

Fwiw, I've installed this latest update to both 2018 and 2021 on multiple machines (from different previous update versions) without incident, so I'd say there's not some generic problem with them.

 

But as for your problem, which I know is real and dismaying for you, here's some potentially good news: the update install (and uninstall) process has a log. And that log should help understand if anything is amiss with the installing of the update.

 

I have a blog post with more detail on finding the update log, finding the key info IN the update log, and some suggestions of common problems and solutions. See:

 

https://www.carehart.org/blog/2016/9/6/solve_common_problems_with_CF_updates_in_10_and_above

 

Let us know if that may help, and if not, what errors (if any) are reported there? Also:

  • Are you on cf2021 or 2018?
  • What update did you have implemented before this one?
  • What OS is this? Ah, right, you said windows. 
  • If you go to the command line (as admin on windows), and cd to cf's cfusion/bin folder, then type cfstart (as sudo if on linux/macos), what is reported about the startup there?
  • If running cf on windows, is the cf service running as local system or some user created to run cf?
  • Had you applied the cf autolockdown tool? Or had you done any lockdown steps previously, for this cf instance?

 

I realize you hoped for answers rather than questions. Unless someone has those based on solely what you have shared, I hope these answers may help me or others get you working again. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Hi Charlie, thank you for the reply. I wouldnt call it dismaying, just.... puzzling... I've been installing patching CF since 9 and I can count on one hand how many times an update has failed, certainly never on 2 servers.

There is no mention of any error or failure in the update install log.

To answer your questions:

1) CF2021

2) Update 4

3) windows server 2019

4) i have not tried this, I will as soon as I get a chance

5) cf service runs as its own user with all the required permissions

6) yes, lockdown steps were applied.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Ok, Bog. So your response to my point about trying to start cf from the command line will be especially valuable, when you can try it again.

 

Also, until then, do the other cf logs show ANYTHING during the startup then? If you only uninstalled the update, they will still be there for you to check now.

 

There may be nothing (but do check), as some startup issues DO in fact cause cf to log nothing in its logs. But that's where you should see more from a cmdline cf start.

 

Finally, you say you had applied "lockdown steps", so you're confirming you did not do the autolockdown tool, right? Given that we can't known them what you did, it's certainly possible you did something that's causing this.

 

Can you confirm first if you had done those BEFORE your prior update 4? And had YOU done update 4, or had someone else? (They may have taken some step to temporarily allow the update to run with some lockdown aspect reverted.)

 

And can you confirm you'd restarted cf since either such lockdown steps and since doing update 4? That may seem obvious, but it's worth asking.

 

Finally, you say you're running cf as a user you created (with "all permissions"). Most folks find in doing that, they can't apply the update via the admin. Did you update cf that way or via the command line? If the latter, did you do just a Java - jar against the downloaded update jar? And were you running that cmd line as admin? The update process would have run as the user you ran that. There may be a clue there.

 

(BTW, I plan to do a blog post soon on how to solve the problem of being unable to run the update via the cf admin even when one has changed cf to run as other than the default local system account.) 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Hi Charlie, once again, thank you for your comprehensive post, I appreciate it.

FWIW i learned a long time ago that java -jar is the most reliable way to do update so thats how all of them are executed.

Starting CF from command line started the service fine!

The issue seems to be that whatever changes were made to the licensing steps on Update 5 are causing the service to wait much longer than the windows service timeout.

the generate UUID errors are still there on startup for Update 4 but it doesnt pause for 2 minutes doing who knows what...

So the question now is why these activation errors, can they be fixed and why are they taing long than previous updates.

 

 

Oct 14, 2022 02:07:47 AM Error [main] - The license POST request has failed. Status Code: 400 Reason: Bad Request
Oct 14, 2022 02:07:47 AM Error [main] - Failed to contact the Adobe Licensing server: java.lang.NullPointerException
Oct 14, 2022 02:08:54 AM Error [main] - An error has occurred while generating UUID.
Oct 14, 2022 02:08:54 AM Information [main] - Developer Edition enabled

Oct 14, 2022 02:08:54 AM Error [main] - An error has occurred while generating UUID.
Oct 14, 2022 02:08:54 AM Information [main] - Developer Edition enabled
Oct 14, 2022 02:10:01 AM Error [main] - An error has occurred while generating UUID.
Oct 14, 2022 02:11:08 AM Error [main] - An error has occurred while generating UUID.
Oct 14, 2022 02:11:08 AM Information [main] - Starting crypto...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Yep, Bog, the java -jar approach can seem the most reliable.

 

As for the log lines you share, sre those messages from the cmdline display or from cf logs when run as a service? If the latter, again do check ALL of the logs written to at that the startup. They may show more. 

 

As for the hangup we DO see in those log msgs, as well as the errors, those are not normal. Now, you speak as of them as seeming to be due to a change in the update, but again I have NOT experienced those in any of several cf2021 servers I've updated (in several different and unrelated networks). And to be clear, that includes instances that had production cf licensing and so passed the activation check. 

 

The issue may be with a problem of your server REACHING the activation server. The docs page for the feature discusses the domains and ports that it reaches out on. Maybe you can open a firewall or configure cf to use a proxy for the activation--also discussed in the docs.

 

I realize the delay seems only to be happening after the update, but again those uuid errors are not normal. And maybe the logs for those startups may show a similar hangup, that's somehow been just a little shorter (so not preventing the service start), but still an issue.

 

And same with how it starts for you from the cmdline. That doesn't impose a timeout but may still be taking far longer from start to being up.

 

There are ways you could watch what's going on during the startup, such as with FusionReactor or perhaps the PMT. This doesn't need to remain a guessing game.

 

Perhaps Adobe will step in and offer info or even direct remote help. But if the problem remains and you feel it's important enough to try to solve with my help, I offer such remote help also, on a consulting basis (with a satisfaction guarantee). More, including rates and online calendar, at carehart.org/consulting.

 

I look forward to hearing how it turns out for you. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 14, 2022 Oct 14, 2022

Copy link to clipboard

Copied

Hi Charlie, yea I do not see it getting to the "starting crypto" bit in the logs when trying to start CF using the windows service.

All i see regarding activation is https://cfactivation.adobe.com/ and there is no issue accessing that url from the server.

 

I agree those UUID errors are not normal but something changed around that flow since Update 4 to cause this extra lag in the startup.

 

Thanks again for your input

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 12, 2022 Oct 12, 2022

Copy link to clipboard

Copied

@Bog26569200bq6u Is there any error in the Update install logs?

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Priyank, FWIW that was the first question I'd asked in my reply.  But in case that may not be where the problem was, that's why I didn't leave it at that. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

no errors in the update logs


1435 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Am I somehow invisible to some here? Or Bog, if you skipped my note for its length, please now read and reply to it. Again, I specifically asked for more info, if the update log showed no errors. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

sorry Charlie, my fault, replied out of order

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2022 Oct 13, 2022

Copy link to clipboard

Copied

Thanks. And for any who might jump down to this thread, note that Bog and I have since had a few messages back and forth, above, trying to solve his problem. 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 14, 2022 Oct 14, 2022

Copy link to clipboard

Copied

@Priyank Shrivastava.it seems there is a long wait time (2+ minutes !) during startup once Update 5 is installed, see logs below.

What can be done to shorten that or resolve those UUID generate errors?

 

Oct 14, 2022 02:08:54 AM Information [main] - Developer Edition enabled
Oct 14, 2022 02:10:01 AM Error [main] - An error has occurred while generating UUID.
Oct 14, 2022 02:11:08 AM Error [main] - An error has occurred while generating UUID.
Oct 14, 2022 02:11:08 AM Information [main] - Starting crypto...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 14, 2022 Oct 14, 2022

Copy link to clipboard

Copied

@Bog26569200bq6u  I have shared my email with you in DM. Can you please send an email to me and I will work with you directly to resolve this issue.  

 

Thanks,
Priyank Shrivastava

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation