Hi @neochuck  If you simply have PMT module installed, that could make you vulnerable. You need not have PMT installed or configured. Kindly refer to the FAQ section in the technote: https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-12.html   ... View more

Hi @xfreeman89x  If this issue still persists, please contact cfsup@adobe.com ... View more

Hi @DevScreen  You can add this flag : -Dcoldfusion.sftp.enable-ssh-rsa=TRUE to enable the ssh-rsa algorithm. Please refer to https://helpx.adobe.com/coldfusion/kb/coldfusion-2023-update-11.html for more information on the fix done for https://tracker.adobe.com/#/view/CF-4221161 ... View more

@xfreeman89x Thanks for sharing the info. We are currently unable to reproduce this issue at our end. If there is any specific step or any more information regarding your setup that you could share, it would help us to reproduce the issue ... View more

@xfreeman89x Did you use this flag while installing the hotfix -  -Djdk.util.zip.disableZip64ExtraFieldValidation=true Could you please attach the new log file (where you mentioned there were no fatal errors)? In the ColdFusion Administrator, click the "i" button in the top right corner under Server Details. Please check the Version and share that information here as well. ... View more

@xfreeman89x Thanks for sharing the log file. I have couple of questions:  Did you run the hotfix manually? If yes, then was it run with administrator privileges?  What is the JDK version you are using to run CF and the hotfix jar? ... View more

Hi @xfreeman89x  Could you please share your hotfix installation log file? ... View more

Good to know! Thanks for the update ... View more

@Maxwell Turner Sharing ColdFusion Support email id here - cfsup@adobe.com  Kindly share the logs and setup details there, we will look into it. ... View more

@Maxwell Turner Inside hf-updates there should be a folder that is named after update 7 version, and within that there should be a log file whose name has the date/time of the install ... View more

@Maxwell Turner In your <ColdFusion installation directory>/<instance_folder>/hf-updates there should be a folder created in the name of update 7. This will contain hotfix installation log. Could you please check the error logged there and share? ... View more

As there seems to be confusion around the CVE that is shown in the ColdFusion Security Bulletin (https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html), I would like to clarify this - The Scope vulnerability was internally identified, and hence, does not contain a CVE and cannot be disclosed. CVEs are only present for those vulnerabilities that are publicly disclosed. The vulnerability "Arbitrary file system read" that you see in the bulletin is different from the one in Implicit searching of unscoped variables. ... View more

@DevScreen The code you added looks good to me.  ... View more

@Sergei L. By "*This option is highly discouraged and should be considered only as a temporary workaround, until all application code is fixed." we mean this - Implicit searching of unscoped variables (list of affected scopes is added in the technote) poses a significant threat, and due to the internally discovered vulnerabilities associated with it, we have set this to false by default. As this is a major change that could break existing code, the jvm flag/setting to true at application level will aid in easing into the fix. This is "highly discouraged" as the fix will be reverted while you are setting it to true, which we do not recommend from security standpoint, and this is "temporary" as the jvm flag will be removed in the next release and would no longer have the capability to revert the fix ... View more

This is not intentional. It is being corrected to have the correct jar (007-330663.jar). Thanks for pointing this out ... View more

@Sergei L. This is the correct checksum - 2b0f5588a81851f1e7bf874dd60bae8e We are getting this updated in ColdFusion (2023 release) Updates ... View more