[Looking for Charlie's main web site?]

Security updates released for ColdFusion 2021 and 2023, Nov 14 2023

Just a heads-up for my readers that there was an important security update released today by Adobe for ColdFusion 2023 (update 6) and 2021 (update 12). (Users of previous versions should note that those are no longer updated, not even for security fixes).

If you apply the update using the CF Admin and then find that CF starts but the Admin and your code fail, I cover that also, in the second section below.

For more, read on.

While you should see the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), Adobe has announced it via their CF Community Forums:

NOW LIVE! Adobe ColdFusion 2023 and 2021 November security updates

And that points the technote for each version's update as well to the Adobe Product Security Bulletin (APSB) related to it, with a little more about the issues identified and addressed:

Security updates available for Adobe ColdFusion | APSB23-52

Given that these are indeed security fixes, it would seem in your interest to get them applied ASAP. (I have no further info about the vulns to share than what is in these two pages, and since they were just posted I don't have news yet of any challenges anyone may have had. I can report I installed both updates without incident.)

On possible need to upgrade web server connector

Don't miss also that if you're skipping to this update without updating the previous one from October, there was an indication in that update's technote of our needing to upgrade the web server connector for CF (if you use CF with IIS or Apache).

While the technote refers to "recreating" the connector (which implies removing and re-adding it), note that since cf2016 we've been able to "upgrade" the connector using the wsconfig UI (or command line). I have a blog post with more on that here.

What about the problem if you'd updated CF to use a Java version released since July?

If you apply the update in the CF Admin and find that CF starts but the admin and your code fail (with a 500 error, or perhaps in more detail starting with "java.lang.NullPointerException", this is a problem that can be solved.

I had written back in October about a problem folks could hit (which I first found in July) when applying CF updates via the CF Admin. The issue happened if you had updated the java underlying CF to a version released in July or later (that's update 11.0.20 or later for CF2021, or 17.0.8 or later for CF2023). I explained in that Oct post how you would need to run the CF update from the command line, adding a needed new JVM argument (offered by Oracle).

I shared then also how Adobe planned to resolve the problem for us, with the "next update"--and that would be this update.

I can report that it seems that problem is solved--mostly, in that I applied the CF update from the CF admin, with a CF2021 and a CF2023 that were running one of those recent Java versions, and where both CF instances were on the previous CF updates (11 and 5, respectively). There were 0 errors.

But then I had one computer which had instance of CF2021 where I was still on update 10 (not 11), and when I applied update 12 I got the failure (where CF started but the admin would not load and requests failed, as discussed more in that Oct post. Same with another where I had CF2023 running update 4 and skipped to update 6.

It seems that (even though the CF updates are cumulative), there's something about skipping the last update that seems to still allow the problem to happen. I'll need to explore more, but I wanted to share this a first observation.

Again, the simple solution is to just run the CF update from the command line, with a special JVM arg (no need to "uninstall" the current update, as it failed). See the post from October for details.

On keeping you updated on such news

BTW, I failed to share news of the previous updates last month: to CF (2023 update 5 and 2021 11), as well as to the JVM (11.0.21 for use with CF2021 and 17.0.9 for use with CF2023), and to FusionReactor (11 and 11.0.1). Lots of 11's there! In each case I had wanted to share "more" about the release than just the news. Then time got away from me. And some people lamented that they look to my posts as a heads-up on things. (There are other ways to get notified, and I need do a post on those.)

From now on, I will endeavor to get a post out the day the releases comes out, and save any following "news" about the release (even if learned that day) for a follow-on post, so that this delay/missed announcement doesn't happen again. And if you want to get notified when I offer posts, note the available subscribe form offered here (on the right on desktops, at the bottom on mobile).

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. More at carehart.org/consulting.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Hi Charlie, I just read your email about this and decided to update CF2023 to Update 6 and now I have a server-wide 500 Internal Server Error that I can't resolve.

The log says:

Installation: Unsuccessful.

145 Successes
2 Warnings
2 NonFatalErrors
2 FatalErrors

Action Notes:

Failed to copy hotfix files:C:\Users\Administrator\250372.tmp\dist\updates: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

Failed to copy hotfix files:C:\Users\Administrator\250372.tmp\dist\wwwroot: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

I have tried to uninstall using CMD and it says invalid or corrupt JAR file for the uninstaller.jar

I have reinstalled the update, several times, manually stopped all Coldfusion services before doing it and it's still stuck in this state.

I'm out of ideas of where to go from here - any help would be much appreciated.
You don't say whether you saw and heeded what I reported in the section, "What about the problem if you'd updated CF to use a Java version released since July?"

Perhaps you presumed it does not apply to you, but it sounds like it may (and I may rename that section to stand out better to folks who may misconstrue its importance).
Thanks for your reply Charlie. I did read your article but as I'm on the version of Java that I believed wasn't affected by it and it was supposed to be fixed for Update 6, I ignored it - my mistake.

I have now managed to install updated 5 with the extra argument and it went through ok. However, I now have a new problem that I can see in FusionReactor which is that it says 'java.lang.NoSuchFieldError: preserveCase'.

I can open the Administrator but Coldfusion is failing to process any application.cfc on my server because of it but I don't have any code that references preserveCase. I don't know if that's a Java problem or a corrupted Coldfusion file problem.
That's not an error I've heard of, no.

I'd start with clearing the cfclasses folder, if you know what that means. And I'd recommend you stop cf, rename that folder, then start cf. Not only will create the new cfclasses folder for you, but you'll have it for possible postmortem assessment--whether of this or other issues.
Thank you - you are a lifesaver. I did as you suggested and it has resolved the issue.

I wish Adobe support was as reactive and helpful.

Thanks again.
Great to hear, and really glad to have helped.

And you can help others here (since that seems a new problem): what cf update had you been on before update 6?
I was on Update 3. I hope it helps others too. Your other posts have certainly helped me many times previously over the years.
# Posted By Jon Nicholson | 11/14/23 3:33 PM
Thanks. I'll note that update 5 had done more than security fixes (unlike the four previous and this latest. I'm inclined to think that's where the problem was introduced, but again I'd not yet heard of it. Just offering this to others who may find and/or report the problem--or who may care to investigate things further.
I just want to second the statement that you are a lifesaver. I've gotten so much help from your blog regarding the security updates.
# Posted By S Daugherty | 11/15/23 9:42 AM
Copyright ©2023 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting