RELEASED- ColdFusion 2021 and 2018 October Security Updates

Report · Oct 11, 2022

UPDATE 10/19/2022: Added information about refreshed installers. Thank you @Charlie Arehart for this.

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In these updates, we’ve fixed a few security and feature-specific bugs, along with other libraries. We’ve also introduced support for M1 macOS.

We've also refreshed ColdFusion 2021 installers. You can find the refreshed installers on the ColdFusion downloads page.

For more information, see the tech notes below:

NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes for ColdFusion 2021 Update 4 are located in the folder, /ColdFusion2021/cfusion/hf-updates/hf-2021-00005-330109/backup/lib/updates.

These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB22-44.

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

Report · Oct 19, 2022

New error with XmlSearch after installing 2021,0,05,330109 :

coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; null

Example of code that generates error:

Thanks,

-Eric Johnson

Report · Oct 19, 2022

Hi @ej401 Please clear the classes in <CF_HOME>/instance/wwwroot/WEB-INF/cfclasses.

Report · Oct 19, 2022

Thanks @Saurav_Ghosh - when combined with a restart of the CF services, this appears to have corrected the issue.

-Eric Johnson

Report · Oct 19, 2022

I get this error in CFAdmin: /CFIDE/administrator/updates/index.cfm

coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; null
The error occurred on line 733.

I tried clearing cfclasses and restarting CF, but still get the error in CFAdmin.

Report · Oct 19, 2022

A little more details:

at cf_core2ecfm1148457877$funcGETINSTALLEDUPDATES.runFunction(/CFIDE/administrator/updates/_core.cfm:733)

Report · Oct 19, 2022

Hi @fgwenger Are you trying to install 2021.5 or 2018.15? Do you still see the error?

Report · Oct 20, 2022

2021. Still having the issue. 4 servers now.

Report · Oct 20, 2022

Walked through some things with Adobe Support. Working now, but not entirely sure why.

Report · Oct 21, 2022

Regarding 2021,0,05,330109 again and the issue with XmlTransform:

"Unable to process the XML string as it could probably contain file paths.", which is a result of this change in update 5:

"If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same."

I have seen this issue mentioned here and here, but the only solution provided is to add an argument to a config file to solve it. Unfortunately, this is not acceptable, as the underlying security bulletin points to this vulnerability and the IT staff at my organization will not accept the workaround because of the security implications.

Separately, I have been trying to figure out what is wrong with our code that would return this error and I honestly think it is a false positive. For instance, if I reduce the code down to the simplest possible form, the error still occurs - i.e.:

XMLTransform("<record></record>", "<xsl:stylesheet xmlns:xsl=""mynamespace""></xsl:stylesheet>")

Note that I even removed the xsl namespace declaration and, also, tried it with objects returned from CFXML - the error persists. Is the update possibly interpretting the / in the tags themselves as malicious?

Please advise.

Thanks,

Eric Johnson

Report · Oct 21, 2022

Actually, I think that this was the vulnerability I meant to post. Or, is it both CWE-22 AND CWE-611? Unsure - but either way, we want to make an effort to be safe in regards to both.

Report · Oct 21, 2022

Hi Eric,

I'm the external person who reported this vulnerability to Adobe and can provide a little more information.

I believe this item ("Unable to process the XML string as it could probably contain file paths") is being tracked as CVE-2022-42340. (They're both similar, but the other one -- CVE-2022-42341 -- is a straightforward lack of protection for XXE. I may blog more about that one in the future.)

As far as I'm aware, CVE-2022-42340 is limited to an XLST injection against XMLTransform(). You are correct that the current patch appears to break/return that error for / or \ characters anywhere in an XSL stylesheet, including your example of the closing </xsl:stylesheet> tag. I've brought this to Adobe's attention and mentioned it here: https://twitter.com/hoyahaxa/status/1581261198187958272

I don't want to speak or provide guidance in terms of absolute security, but if your application calls to XMLTransform() are not consuming XSL stylesheets that can be provided by/controlled by the user or other untrusted sources, exploitation of this vulnerability may be unlikely or impractical.

And it goes without saying that any additional context, insights, or support from Adobe on this supersedes the above. 🙂

Brian

Report · Oct 21, 2022

Thanks for your feedback Brian - much appreciated!

I will give Adobe a few days on this issue and petition for the workaround in our environment if nothing surfaces.

-Eric

Report · Oct 29, 2022

Is there a work-around to re-enable View/Download/Delete log files in the Administrator/Console? Being able to view application errors in the Console/Administrator made troubleshooting easier.

Report · Jan 29, 2023

Mpinets, you'd asked in Oct here about the removal of the log viewer in the admin. I don't see any reply, but in an point you to another thread which came up here a few days later, and I'd seen and responded to that with a discussion and solution to consider:

https://community.adobe.com/t5/coldfusion-discussions/log-files-page-in-coldfusion-administrator/m-p...

/Charlie (troubleshooter, carehart.org)

Report · Oct 29, 2022

I will be honest. Never had more issues with these updates. CF2021 feels like its a beta or even alpha build and we are paying to be the testers.

Report · Nov 09, 2022

I haven't seen all of the XML-related secuirty updates and new options that are available to ColdFusion functions after APSB22-44 pulled together and documented anywhere, so I wound up do just that in a blog post -- https://hoyahaxa.blogspot.com/2022/11/on-coldfusion-xxe-and-other-xml-attacks.html

You can now add protection against XXE (XML eXternal Enities) attacks in xmlSearch() and xmlTransform() in ACF, but need to do so with a minor code change. isXML() and xmlParse() already supported this, but not all of the Adobe function documentation has been updated yet.

With some details on XSLT/xmlTransform() errors and Lucee info too!