Highlighted

ColdFusion (2018 release) Update 10 and ColdFusion (2016 release) Update 16 released

Adobe Employee ,
Jul 14, 2020

Copy link to clipboard

Copied

Update 7/15/2020: The Docker images for both these versions are up.

 

We are pleased to announce that we have released the updates for the following ColdFusion versions:

 

In this update, we’ve fixed a few security bugs and some other bugs, which are mentioned in the tech notes.

 

Charlie Arehart has written an excellent blog on the importance of securing the CAR files. Read it here.

 

For more information, see the tech notes below:

 

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB20-43.

 

Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.

 

Note: We’ve also updated the add-on installers.

 

We thank you for your continuing support.

Topics

Security

Views

465

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ColdFusion (2018 release) Update 10 and ColdFusion (2016 release) Update 16 released

Adobe Employee ,
Jul 14, 2020

Copy link to clipboard

Copied

Update 7/15/2020: The Docker images for both these versions are up.

 

We are pleased to announce that we have released the updates for the following ColdFusion versions:

 

In this update, we’ve fixed a few security bugs and some other bugs, which are mentioned in the tech notes.

 

Charlie Arehart has written an excellent blog on the importance of securing the CAR files. Read it here.

 

For more information, see the tech notes below:

 

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB20-43.

 

Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.

 

Note: We’ve also updated the add-on installers.

 

We thank you for your continuing support.

Topics

Security

Views

466

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Enthusiast ,
Jul 15, 2020

Copy link to clipboard

Copied

I applied this update today, and I see on here https://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-16.html that there is a note to delete a CAR file once I have updated, but I'm unclear as to what and where that is. Could you please clarify. Thanks

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Employee ,
Jul 15, 2020

Copy link to clipboard

Copied

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Enthusiast ,
Jul 15, 2020

Copy link to clipboard

Copied

So is it saying if I ever made any CAR files to save all of my settings before this update I should disguard them and create new ones as the old CAR files contain data that either won't work or is at risk?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Community Professional ,
Jul 15, 2020

Copy link to clipboard

Copied

ACS_LLC, I offered a blog post last night anticipating and addressing your very questions. 🙂 See:

https://www.carehart.org/blog/client/index.cfm/2020/7/14/why_secure_car_files/

 

It was posted just a few hours before your question here, and Saurav's reply kindly pointing to other resources with more general info on the CAR file mechanism. But I knew that some would see that brief admonition in the update technotes and wonder what it was about. I have a TLDR at the top, but then fuller explanation to follow.

 

Also, since I know not everyone would see a post on my own blog, I offered that TLDR-level info in a post on the Adobe CF Portal (pointing to my fuller post for more):

https://coldfusion.adobe.com/2020/07/importance-of-securing-car-files/

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Adobe Community Professional ,
Jul 15, 2020

Copy link to clipboard

Copied

Hi, Saurav. About that list of resources you kindly offered, I would point out that the 2nd one is merely a pointer to someone's copy of an older version of the CF docs. It's really no more helpful than the first link (the docs). BTW, about that first link (to the current docs), it's unfortunate that there's not more detail on how the CAR mechanism works, including screenshots. Those who read closely will see that it points to the CF Admin help (which most never realize even exists).

 

FWIW, you would do well to replace that second link with a better resource that really does show more info, including screenshots (and which is recent):

https://www.cfguide.io/coldfusion-administrator/packaging-deployment-coldfusion-archives/

 

I might even argue it would be better to list that first here. But please do consider removing the asanet.org link. And if while you're at it, you might want to add a link to my post from last night (which more directly addresses ASC's question), again it's:

https://www.carehart.org/blog/client/index.cfm/2020/7/14/why_secure_car_files/

 

Finally, if you are going to keep the (current first) link to the docs, you could help folks by at least pointing more directly to the section in the docs on the CAR mechanism, which is:

https://helpx.adobe.com/coldfusion/configuring-administering/deploying-coldfusion-applications.html#...

 

Hope that's helpful.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
ACS_LLC LATEST
Enthusiast ,
Jul 16, 2020

Copy link to clipboard

Copied

Thanks for the blog post Charlie, much appreciated.

 

OK, I get it now, it was not so much related to files created by that particular upgrade, but just about the useage of the CAR file and how they can be easily exploited.

 

I like to keep a copy should I ever have to reinstall the server, it's good to have all of the settings saved and easily reimported. I have mine in a secure ZIP file, on a bitlockered drive, so I think I'm in good shape. Good point on the transfer though, making sure that SFTP is used to avoid any interception.

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Resources
ColdFusion User Guide
CFML Reference Guide
Develop CFML Applications
Add a group