[Looking for Charlie's main web site?]

Security updates released for ColdFusion 2021 and 2023, Nov 14 2023

Just a heads-up for my readers that there was an important security update released today by Adobe for ColdFusion 2023 (update 6) and 2021 (update 12). (Users of previous versions should note that those are no longer updated, not even for security fixes).

If you apply the update using the CF Admin and then find that CF starts but the Admin and your code fail, I cover that also, in the second section below.

For more, read on.

While you should see the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), Adobe has announced it via their CF Community Forums:

NOW LIVE! Adobe ColdFusion 2023 and 2021 November security updates

And that points the technote for each version's update as well to the Adobe Product Security Bulletin (APSB) related to it, with a little more about the issues identified and addressed:

Security updates available for Adobe ColdFusion | APSB23-52

Given that these are indeed security fixes, it would seem in your interest to get them applied ASAP. (I have no further info about the vulns to share than what is in these two pages, and since they were just posted I don't have news yet of any challenges anyone may have had. I can report I installed both updates without incident--though with a caveat below.)

Update: Since posting this, I have learned of some online resources discussing the vulnerabilities in more detail (and repeating the importance of applying this update and keeping CF updated). One is from socradar.io report on "CISA Alert: Serious Vulnerabilities in Adobe ColdFusion (CVE-2023-44350, CVE-2023-44351, CVE-2023-44353 and More". Thanks to the ModernizeOrDie podcast for sharing news of that on the Dec 5 episode.

On possible need to upgrade web server connector

Don't miss also that if you're skipping to this update without updating the previous one from October, there was an indication in that update's technote of our needing to upgrade the web server connector for CF (if you use CF with IIS or Apache).

While the technote offers a table at the bottom reporting which updates did require such connector updating, not it refers to "recreating" the connector (which implies removing and re-adding it). But since cf2016 we've been able to "upgrade" the connector using the wsconfig UI (or command line). I have a blog post with more on that here.

What about the problem if you'd updated CF to use a Java version released since July?

(If you apply the update in the CF Admin and find that CF starts but the admin and your code fail (such as with a 500 error, or perhaps in more detail starting with "java.lang.NullPointerException" or other errant behaviors), this may be due to a problem that can be solved. Read on.)

I had written back in October about a problem folks could hit (which I first found in July) when applying CF updates via the CF Admin. The issue happened if you had updated the java underlying CF to a version released in July 2023 or later (that's update 11.0.20 or later for CF2021, or 17.0.8 or later for CF2023). I explained in that Oct post how you would need to run the CF update from the command line, adding a needed new JVM argument (offered by Oracle).

I shared then also how Adobe planned to resolve the problem for us, with the "next update"--and that would be this update.

I can report that it seems that problem is solved--at least if you are on the most recent CF updates (CF2021 u11 and CF2023 u5) before applying THIS update. The update will work fine from within the CF Admin.

If you are still on update CF2021 update 10 or earlier (not 11) or CF2023 update 4 or earlier (not 5), then you may still got the failure (where CF started but the admin would not load and requests failed, as discussed more in that Oct post).

It seems that (even though the CF updates are cumulative), there's something about skipping the last update that seems to still allow the problem to happen. I've not seen any clarification from Adobe.

Again, if this hits you, the simple solution is to just run the CF update from the command line, with a special JVM arg (no need to "uninstall" the current update, as it failed). See the post from October for details.

On keeping you updated on such news

BTW, I failed to share news of the previous updates last month: to CF (2023 update 5 and 2021 11), as well as to the JVM (11.0.21 for use with CF2021 and 17.0.9 for use with CF2023), and to FusionReactor (11 and 11.0.1). Lots of 11's there! In each case I had wanted to share "more" about the release than just the news. Then time got away from me. And some people lamented that they look to my posts as a heads-up on things. (There are other ways to get notified, and I need do a post on those.)

From now on, I will endeavor to get a post out the day the releases comes out, and save any following "news" about the release (even if learned that day) for a follow-on post, so that this delay/missed announcement doesn't happen again. And if you want to get notified when I offer posts, note the available subscribe form offered here (on the right on desktops, at the bottom on mobile).

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. More at carehart.org/consulting.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Hi Charlie, I just read your email about this and decided to update CF2023 to Update 6 and now I have a server-wide 500 Internal Server Error that I can't resolve.

The log says:

Installation: Unsuccessful.

145 Successes
2 Warnings
2 NonFatalErrors
2 FatalErrors

Action Notes:

Failed to copy hotfix files:C:\Users\Administrator\250372.tmp\dist\updates: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

Failed to copy hotfix files:C:\Users\Administrator\250372.tmp\dist\wwwroot: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

I have tried to uninstall using CMD and it says invalid or corrupt JAR file for the uninstaller.jar

I have reinstalled the update, several times, manually stopped all Coldfusion services before doing it and it's still stuck in this state.

I'm out of ideas of where to go from here - any help would be much appreciated.
You don't say whether you saw and heeded what I reported in the section, "What about the problem if you'd updated CF to use a Java version released since July?"

Perhaps you presumed it does not apply to you, but it sounds like it may (and I may rename that section to stand out better to folks who may misconstrue its importance).
Thanks for your reply Charlie. I did read your article but as I'm on the version of Java that I believed wasn't affected by it and it was supposed to be fixed for Update 6, I ignored it - my mistake.

I have now managed to install updated 5 with the extra argument and it went through ok. However, I now have a new problem that I can see in FusionReactor which is that it says 'java.lang.NoSuchFieldError: preserveCase'.

I can open the Administrator but Coldfusion is failing to process any application.cfc on my server because of it but I don't have any code that references preserveCase. I don't know if that's a Java problem or a corrupted Coldfusion file problem.
That's not an error I've heard of, no.

I'd start with clearing the cfclasses folder, if you know what that means. And I'd recommend you stop cf, rename that folder, then start cf. Not only will create the new cfclasses folder for you, but you'll have it for possible postmortem assessment--whether of this or other issues.
Thank you - you are a lifesaver. I did as you suggested and it has resolved the issue.

I wish Adobe support was as reactive and helpful.

Thanks again.
Great to hear, and really glad to have helped.

And you can help others here (since that seems a new problem): what cf update had you been on before update 6?
I was on Update 3. I hope it helps others too. Your other posts have certainly helped me many times previously over the years.
# Posted By Jon Nicholson | 11/14/23 3:33 PM
Thanks. I'll note that update 5 had done more than security fixes (unlike the four previous and this latest). I'm inclined to think that's where the problem was introduced, but again I'd not yet heard of it. Just offering this to others who may find and/or report the problem--or who may care to investigate things further.
I just want to second the statement that you are a lifesaver. I've gotten so much help from your blog regarding the security updates.
# Posted By S Daugherty | 11/15/23 9:42 AM
Just to inform you that I had the same "could not access a java object field called preserveCase" issue in CF2023, Update 5. The problem presented after we installed the "report" package from CF admin portal. We recreated the cfclasses folder and it worked again.
# Posted By Phil Alvrez | 1/17/24 9:43 AM
@Phil, thanks for the clarification that it seems related to the Report package/module . (FWIW, I had in fact proposed (in comment here on 11/14) that doing so was the seeming solution, and that it seemed to be an issue as of update 5.) Also, I have tweaked your comment. I'm pretty sure you meant to say cfclasses rather than class (a very important distinction).

@S Daugherty, thanks for your kind regards here. Sorry I missed that back in November.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting