• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
1

RELEASED- ColdFusion 2021 and 2018 October Security Updates

Adobe Employee ,
Oct 11, 2022 Oct 11, 2022

Copy link to clipboard

Copied

UPDATE 10/19/2022: Added information about refreshed installers. Thank you @Charlie Arehart for this.

 

We are pleased to announce that we have released the updates for the following ColdFusion versions:

 

In these updates, we’ve fixed a few security and feature-specific bugs, along with other libraries. We’ve also introduced support for M1 macOS.

 

We've also refreshed ColdFusion 2021 installers. You can find the refreshed installers on the ColdFusion downloads page.

 

For more information, see the tech notes below:

 

NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes for ColdFusion 2021 Update 4 are located in the folder, /ColdFusion2021/cfusion/hf-updates/hf-2021-00005-330109/backup/lib/updates.

 

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB22-44.

 

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

TOPICS
Getting started , Security

Views

4.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 19, 2022 Oct 19, 2022

Copy link to clipboard

Copied

New error with XmlSearch after installing 2021,0,05,330109 :

 

coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; null

 

Example of code that generates error:

 

<cfset nodeList = XmlSearch(xmlDoc, "//my_node_path")>
 
Thanks,
-Eric Johnson

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 19, 2022 Oct 19, 2022

Copy link to clipboard

Copied

Hi @ej401 Please clear the classes in <CF_HOME>/instance/wwwroot/WEB-INF/cfclasses.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 19, 2022 Oct 19, 2022

Copy link to clipboard

Copied

Thanks @Saurav_Ghosh - when combined with a restart of the CF services, this appears to have corrected the issue.

 

-Eric Johnson

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 19, 2022 Oct 19, 2022

Copy link to clipboard

Copied

I get this error in CFAdmin: /CFIDE/administrator/updates/index.cfm

coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object; null
The error occurred on line 733.

I tried clearing cfclasses and restarting CF, but still get the error in CFAdmin.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 19, 2022 Oct 19, 2022

Copy link to clipboard

Copied

A little more details:

 

at cf_core2ecfm1148457877$funcGETINSTALLEDUPDATES.runFunction(/CFIDE/administrator/updates/_core.cfm:733)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Oct 19, 2022 Oct 19, 2022

Copy link to clipboard

Copied

Hi @fgwenger Are you trying to install 2021.5 or 2018.15? Do you still see the error?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 20, 2022 Oct 20, 2022

Copy link to clipboard

Copied

2021.  Still having the issue.  4 servers now.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 20, 2022 Oct 20, 2022

Copy link to clipboard

Copied

Walked through some things with Adobe Support.  Working now, but not entirely sure why.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 21, 2022 Oct 21, 2022

Copy link to clipboard

Copied

Regarding 2021,0,05,330109 again and the issue with XmlTransform:

 

"Unable to process the XML string as it could probably contain file paths.", which is a result of this change in update 5:

 

"If the XML path contains a forward slash or backslash, it will be blocked. The flag, coldfusion.xml.allowPathCharacters, must be set to true to allow the same."

 

I have seen this issue mentioned here and here, but the only solution provided is to add an argument to a config file to solve it. Unfortunately, this is not acceptable, as the underlying security bulletin points to this vulnerability and the IT staff at my organization will not accept the workaround because of the security implications.

 

Separately, I have been trying to figure out what is wrong with our code that would return this error and I honestly think it is a false positive. For instance, if I reduce the code down to the simplest possible form, the error still occurs - i.e.:

 

XMLTransform("<record></record>", "<xsl:stylesheet xmlns:xsl=""mynamespace""></xsl:stylesheet>")
 
Note that I even removed the xsl namespace declaration and, also, tried it with objects returned from CFXML - the error persists. Is the update possibly interpretting the / in the tags themselves as malicious?
 
Please advise.
 
Thanks,
Eric Johnson
 
 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 21, 2022 Oct 21, 2022

Copy link to clipboard

Copied

Actually, I think that this was the vulnerability I meant to post. Or, is it both CWE-22 AND CWE-611?  Unsure - but either way, we want to make an effort to be safe in regards to both.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 21, 2022 Oct 21, 2022

Copy link to clipboard

Copied

Hi Eric,

 

I'm the external person who reported this vulnerability to Adobe and can provide a little more information.  

 

I believe this item ("Unable to process the XML string as it could probably contain file paths") is being tracked as CVE-2022-42340.   (They're both similar, but the other one  -- CVE-2022-42341 -- is a straightforward lack of protection for XXE.  I may blog more about that one in the future.)

 

As far as I'm aware, CVE-2022-42340 is limited to an XLST injection against XMLTransform().  You are correct that the current patch appears to break/return that error for / or \ characters anywhere in an XSL stylesheet, including your example of the closing </xsl:stylesheet> tag.  I've brought this to Adobe's attention and mentioned it here: https://twitter.com/hoyahaxa/status/1581261198187958272

 

I don't want to speak or provide guidance in terms of absolute security, but if your application calls to XMLTransform() are not consuming XSL stylesheets that can be provided by/controlled by the user or other untrusted sources, exploitation of this vulnerability may be unlikely or impractical. 

 

And it goes without saying that any additional context, insights, or support from Adobe on this supersedes the above. 🙂

 

Brian

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 21, 2022 Oct 21, 2022

Copy link to clipboard

Copied

Thanks for your feedback Brian - much appreciated!

I will give Adobe a few days on this issue and petition for the workaround in our environment if nothing surfaces.

 

-Eric

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Oct 29, 2022 Oct 29, 2022

Copy link to clipboard

Copied

Is there a work-around to re-enable View/Download/Delete log files in the Administrator/Console? Being able to view application errors in the Console/Administrator made troubleshooting easier.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jan 29, 2023 Jan 29, 2023

Copy link to clipboard

Copied

LATEST

Mpinets, you'd asked in Oct here about the removal of the log viewer in the admin. I don't see any reply, but in an point you to another thread which came up here a few days later, and I'd seen and responded to that with a discussion and solution to consider:

 

https://community.adobe.com/t5/coldfusion-discussions/log-files-page-in-coldfusion-administrator/m-p...


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 29, 2022 Oct 29, 2022

Copy link to clipboard

Copied

I will be honest.  Never had more issues with these updates.  CF2021 feels like its a beta or even alpha build and we are paying to be the testers. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Nov 09, 2022 Nov 09, 2022

Copy link to clipboard

Copied

I haven't seen all of the XML-related secuirty updates and new options that are available to ColdFusion functions after APSB22-44 pulled together and documented anywhere, so I wound up do just that in a blog post -- https://hoyahaxa.blogspot.com/2022/11/on-coldfusion-xxe-and-other-xml-attacks.html

 

You can now add protection against XXE (XML eXternal Enities) attacks in xmlSearch() and xmlTransform() in ACF, but need to do so with a minor code change.  isXML() and xmlParse() already supported this, but not all of the Adobe function documentation has been updated yet.

 

With some details  on XSLT/xmlTransform() errors and Lucee info too!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation