We are pleased to announce that we have released the updates for the following ColdFusion versions:
In this update, apart from fixing the security vulnerabilities, we’ve also added SameSite cookie support for cfcookie.
For more information, see the tech notes below:
These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB20-18.
Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.
We thank you for your continuing support.
I am getting a 403 forbidden error after updatingt to 14 or greater(CF2016) and 9(CF2018) any insight? I have several instances that I need to update so I need a rinse repeat type of SOP.
Yes, this is a known issue. See the technote for the update, and it's post installation section. It notes the 403 error and what to do about it.
If you still have challenges, write back. If that works for you, do let us know.
That didn't work I updated the server.xml with the same secret from the worker.properties and double checked it still getting a 403?
Well there were two suggested fixes for the 403. Read in the troubleshooting section about adding the allowedRequestAttributesPattern=". *" to the ajp connector in server.xml.
Perhaps you're frustrated and rushing. If so, do note two things
First, observe the case of that attribute (critical) and the value: a dot and an asterisk.
Second, you should NOT have needed to have "updated the server.xml with the same secret from the worker.properties". The CF update should have done THAT. Then the wsconfig update would have put the secret CF created into the workers.peoperties. I'm saying something seems off if the secret was NOT there already.
Just trying to help. I have more detail (on these various problems after that March update to 2018 and 2016) in a post on my site:
If you may be getting these replies by email, note I've corrected my last post. As I'm writing on my phone, in the tiny editing window offered, that can't be zoomed in, I missed that I'd made a typo in the attribute name. It's... attributes... (s) not... attributed... (d).
jal4470, did you get the problem resolved? If so, what was the right solution for you?