Security updates released for ColdFusion 2021 and 2023, Nov 14 2023
If you apply the update using the CF Admin and then find that CF starts but the Admin and your code fail, I cover that also, in the second section below.
For more, read on.
While you should see the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), Adobe has announced it via their CF Community Forums:
NOW LIVE! Adobe ColdFusion 2023 and 2021 November security updates
And that points the technote for each version's update as well to the Adobe Product Security Bulletin (APSB) related to it, with a little more about the issues identified and addressed:
Security updates available for Adobe ColdFusion | APSB23-52
Given that these are indeed security fixes, it would seem in your interest to get them applied ASAP. (I have no further info about the vulns to share than what is in these two pages, and since they were just posted I don't have news yet of any challenges anyone may have had. I can report I installed both updates without incident--though with a caveat below.)
Update: Since posting this, I have learned of some online resources discussing the vulnerabilities in more detail (and repeating the importance of applying this update and keeping CF updated). One is from socradar.io report on "CISA Alert: Serious Vulnerabilities in Adobe ColdFusion (CVE-2023-44350, CVE-2023-44351, CVE-2023-44353 and More". Thanks to the ModernizeOrDie podcast for sharing news of that on the Dec 5 episode.
On possible need to upgrade web server connector
Don't miss also that if you're skipping to this update without updating the previous one from October, there was an indication in that update's technote of our needing to upgrade the web server connector for CF (if you use CF with IIS or Apache).While the technote offers a table at the bottom reporting which updates did require such connector updating, not it refers to "recreating" the connector (which implies removing and re-adding it). But since cf2016 we've been able to "upgrade" the connector using the wsconfig UI (or command line). I have a blog post with more on that here.
What about the problem if you'd updated CF to use a Java version released since July?
(If you apply the update in the CF Admin and find that CF starts but the admin and your code fail (such as with a 500 error, or perhaps in more detail starting with "java.lang.NullPointerException" or other errant behaviors), this may be due to a problem that can be solved. Read on.)
I had written back in October about a problem folks could hit (which I first found in July) when applying CF updates via the CF Admin. The issue happened if you had updated the java underlying CF to a version released in July 2023 or later (that's update 11.0.20 or later for CF2021, or 17.0.8 or later for CF2023). I explained in that Oct post how you would need to run the CF update from the command line, adding a needed new JVM argument (offered by Oracle).
I shared then also how Adobe planned to resolve the problem for us, with the "next update"--and that would be this update.
I can report that it seems that problem is solved--at least if you are on the most recent CF updates (CF2021 u11 and CF2023 u5) before applying THIS update. The update will work fine from within the CF Admin.
If you are still on update CF2021 update 10 or earlier (not 11) or CF2023 update 4 or earlier (not 5), then you may still got the failure (where CF started but the admin would not load and requests failed, as discussed more in that Oct post).
It seems that (even though the CF updates are cumulative), there's something about skipping the last update that seems to still allow the problem to happen. I've not seen any clarification from Adobe.
Again, if this hits you, the simple solution is to just run the CF update from the command line, with a special JVM arg (no need to "uninstall" the current update, as it failed). See the post from October for details.
On keeping you updated on such news
BTW, I failed to share news of the previous updates last month: to CF (2023 update 5 and 2021 11), as well as to the JVM (11.0.21 for use with CF2021 and 17.0.9 for use with CF2023), and to FusionReactor (11 and 11.0.1). Lots of 11's there! In each case I had wanted to share "more" about the release than just the news. Then time got away from me. And some people lamented that they look to my posts as a heads-up on things. (There are other ways to get notified, and I need do a post on those.)
From now on, I will endeavor to get a post out the day the releases comes out, and save any following "news" about the release (even if learned that day) for a follow-on post, so that this delay/missed announcement doesn't happen again. And if you want to get notified when I offer posts, note the available subscribe form offered here (on the right on desktops, at the bottom on mobile).
Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. More at carehart.org/consulting.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
The log says:
Installation: Unsuccessful.
145 Successes
2 Warnings
2 NonFatalErrors
2 FatalErrors
Action Notes:
Failed to copy hotfix files:C:\Users\Administrator\250372.tmp\dist\updates: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.
Failed to copy hotfix files:C:\Users\Administrator\250372.tmp\dist\wwwroot: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.
I have tried to uninstall using CMD and it says invalid or corrupt JAR file for the uninstaller.jar
I have reinstalled the update, several times, manually stopped all Coldfusion services before doing it and it's still stuck in this state.
I'm out of ideas of where to go from here - any help would be much appreciated.
Perhaps you presumed it does not apply to you, but it sounds like it may (and I may rename that section to stand out better to folks who may misconstrue its importance).
I have now managed to install updated 5 with the extra argument and it went through ok. However, I now have a new problem that I can see in FusionReactor which is that it says 'java.lang.NoSuchFieldError: preserveCase'.
I can open the Administrator but Coldfusion is failing to process any application.cfc on my server because of it but I don't have any code that references preserveCase. I don't know if that's a Java problem or a corrupted Coldfusion file problem.
I'd start with clearing the cfclasses folder, if you know what that means. And I'd recommend you stop cf, rename that folder, then start cf. Not only will create the new cfclasses folder for you, but you'll have it for possible postmortem assessment--whether of this or other issues.
I wish Adobe support was as reactive and helpful.
Thanks again.
And you can help others here (since that seems a new problem): what cf update had you been on before update 6?
@S Daugherty, thanks for your kind regards here. Sorry I missed that back in November.