Update: 3 days after this update, Adobe released yet another, and then 4 days after that they released yet another, both p1 security updates. While I have posts on each of the two subsequent updates, the one on Jul 14 and then the one on Jul 19, the information below is still important and has details that I do not repeat in the later post.
For more resources as well as some additional thoughts on the updates, read on.
Updates to the post since initial release:
- Jul 11; added the new last topic on Java 17 confusion
- Jul 12: added a new table of contents and next 2 intro paragraphs; broke the java 17 point into its own section; pointed out that the Adobe container images for CF2023 were finally updated as well as the Ortus images and forgebox engines; added this "updates" list to allow folks to more clearly track such changes
- Jul 13: added discussion of new article detailing one of the key vulnerabilities; updated the "quirks" discussion to note two Adobe corrections to the CF2021 and 2023 update technotes; added a conclusion to the post
After I list some key points about the update itself, I then share thoughts on some rather confusing aspects of the technotes and security bulletin. (Indeed, in the hours and days after its release and indeed this blog post, it seems these topics did indeed presage confusion reported by many in the community. I appreciate that many have found my post here to have helped bring some clarity--and calls to action for Adobe.)
To be clear, it's not so much that anything's "wrong" with the update itself. It seems clear everyone should endeavor to get it applied. The sections to follow are:
- The key points some will want to know
- Resources for more on each update
- There was also an update to the AutoLockdown tool for each release
- Don't get confused about the mention of "ColdFusion JDK requirements" "For Application Servers"
- Quirks regarding offline manual update process
- No, you do NOT need to update to Java 17, on CF2018 or 2021--NOR SHOULD YOU EVEN TRY!
The key points some will want to know
So first are those key points, which may to some serve as a tl;dr about the update:
- Judging from the update technotes for each, the update addresses only the security-related matters indicated in them (no other changes or bug fixes). That said, if you have failed to apply any previous ones, applying this update will incorporate those which MAY have other changes. It's imperative that you see the technotes for each update you're skipping. The update technote URL's always follow the same pattern, so just change the number to see the technote for an earlier update.
- Other than always-terse verbiage in the security bulletin, it's unclear to me what these security issues were really about. But I see that Brian Reilly was one of the folks involved in reporting one or more of the vulns was found. Expect to see more on his blog, as he indicated in a tweet from the day of the update
- Update: I learned today of a new blog post that details one of the key vulnerabilities fixed by this update. This may really interest some readers. More on this below
- If you perform offline manual updates, see my discussion below about how at this writing the technotes offer only the jar not the zip (as was offered starting with CF2021 update 2)
- And NO, you do NOT need (or want) to use Java 17 to do the update (with CF2021 or 2018), despite what the security bulletin states, also discussed below
- Note as well that this is the last update for CF2018, as its end of life is in 2 days: Jul 13 2023, as I had blogged about before
- Conversely, for those who may like to say "I always wait for the first update of a new version before considering it", this is technically the first update for CF2023--though I'm not sure it should qualify as that kind of "first update" after a release such folks are thinking of, which should includes bug fixes or changes, rather than only security updates that apply to all 3 currently supported versions
- For those using the Adobe container images, I can report (at this writing) that both the Dockerhub CF repo and the Amazon ECR CF repo have been updated for the CF2023, CF2021, and CF2018 images. The same is true also regarding the Ortus Commandbox CF container images, and the Commandbox CF engines
- And of course, if you may find you need help considering or performing the update, I am available to help via my short-term, remote consulting
But there are a few more points some readers may want to hear about. First up will be just some logistical matters, and then the points causing some confusion.
Resources for more on each update
Some of what I will say below relates to the technotes for the updates. Let me point out first, therefore, that the security bulletin above includes a link to each update's technote, as does a forum thread that Adobe posted today, and the Adobe blog post on it, so I won't repeat those individual technote links here.
You can also engage with Adobe in either place with questions or concerns. (I try to keep an eye on that and offer replies where I can, but feel free to direct any questions to me below.)
News from another source on a key vuln this update addresses
Update As I noted above, there was news shared Jul 12 of a new blog post from the ProjectDiscovery security site detailing one of the key vulnerabilities, "Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE". But within hours of it being posted, it was pulled down. Some are concluding that its details identified a vuln that was NOT yet fixed then (but may have been fixed by the update released on Jul 14.)
Something I found very interesting in reviewing that article (while it existed) is that they showed the exploit to be involving (again) the _cfclient querystring, which some will recognize as the root of the vuln fixed with the updates (for CF2021 and 2018) in March 2023.
And if you read my blog post from then, I'd shared a protection involving blocking requests that incorporate that _cfclient querystring. It seems that (judging from the post above), if you were to implement that protection then you could head off this sort of vuln if any others leverage it. (Indeed, if you're on CF2016 or 11--which introduced that _cfclient querystring for use with the cf mobile feature)--note that Adobe has no fix for you for this or that March vuln. But my March blog post proposes one for that, which again seems it would help with this one.)
There was also an update to the AutoLockdown tool for each release
Note that the update technotes for all 3 versions indicate that they needed to update the CF Lockdown tool, for those who may use that. As there is no update mechanism for that tool, the update technotes simply inform you to obtain a refreshed installer for that tool, which is available for each version from the CF downloads page.
It's unclear if this is implying that somehow there a vulnerability IN the tool or just in what the tool is protecting against. Certainly the hope is the latter. (Another question this begs is whether those who HAVE already run it should be expected to RERUN it. Adobe folks, can you please clarify?)
Don't get confused about the mention of "ColdFusion JDK requirements" "For Application Servers"
This next topic really deserves it's own post, as it's not really specific to this update. I'll write it here for now,and split it into its own post (and remove this and link to that) when I may do that later.
While I'm discussing these updates, let me clarify that the bottom of both the security bulletin and the update technotes have a section called "ColdFusion JDK requirements" which goes on to indicate that it's "For Application Servers". I find many people get confused about this, as it goes on to suggest a need to edit the JVM args to add a -Djdk.serialFilter and some additional values.
Please (PLEASE) note that the first sentence says "On JEE installations...". And if you are patient to skip all the instructions and read the LAST sentence of the section, it says, "Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation." Bottom line: this section is NOT talking to you if you installed CF either with the full/GUI installer or the zip installer (new since CF2021). This discussion is ONLY for those who have deployed CF as a WAR or EAR on a JEE server, like the Tomcat, WebLogic, or Wildfly as it goes on to mention. Sadly, some people who know that CF "has run on Tomcat since CF10" presume this refers to them. Again, if you are NOT deploying CF as an EAR or WAR then please do NOT implement these JVM args. I've often wondered what sort of weird crap and challenging "bugs" people hit might be caused by this simple mistake. And yes, I think Adobe could do better to clarify things in that section of the docs and I've raised the concern in the past. Just never seems to raise to a lever of concern/resolution.
Part of the problem is that a minority of folks even READ the technotes, then only some will make the mistake---and virtually none will recall doing it when filing bug reports, and I doubt Adobe folks tend to think to ask about it.
Mark Takata: might this topic interest you to tackle? :-) It just requires one new sentence: "This section does not apply to you, if you installed CF using the full/GUI or zip installer." And/or the sentence starting "On JEE installations..." could add "On JEE installations (when deploying CF as an EAR or WAR)...".
Moving on, if you only use the CF Admin to update CF, you can skip to the last section.
Quirks regarding offline manual update process
For those who may need to perform offline manual updating, this may interest you to notice.
1) The technote for CF2021 update 7 reverts back to showing download and use a jar file for manually updating, rather than a zip file as was offered starting with the technotes in updates 2-6. It's unclear if this was intentional or a slip. And FWIW, the technote for CF2023 update 1 also refers to using the jar file approach. For many folks doing manual installs, either approach has worked. For others, the zip approach was necessary. (And for many, all that was just all very confusing.)
Update: FWIW, I learned on Jul 13 that Adobe had at least added a clarification to the CF2021 update 7 technote, indicating now that "in this update, there are no updates to the packages". Technically the same thing SHOULD be said on the CF2023 update technote (but NOT to the CF2018 technote, since that version didn't have the notion of separate packages.)
I've long meant to do a post on the difference between the jar- and zip-based manual update process, as well as the new package mgt, but I never got to it. Again, for people who use the CF admin to update, or do manual updates while online (the majority of CF users, in my observation), this difference about using the jar or zip doesn't matter at all. If anything comes out of this change that's worth noting, I'll update this post or create a new one. For now, I just share the observation to help whoever it may.
2) Update: I can share that I learned today that Adobe removed the text in the technote that I discussed here:
Along the same lines, but even more confusing, is that the technote for CF2021 update 7 (like those for cf2021 updates 2-6,) includes (before the post install steps) a reference to a need to extract a zip into ajax folder--a step which to me makes no sense. I don't mean only for the sake of that update 7 technote (where there is no zip offered at all), but it didn't make sense even in the technotes for updates 2-6 which DID have the zip.
I have raised both questions above to Adobe today, so if you may see some change in the text such that what I refer to here is gone/different, do let me know as I'd want to update this post.
No, you do NOT need to update to Java 17, on CF2018 or 2021--NOR SHOULD YOU EVEN TRY!
Finally (and this is an update since my original post, 2 hrs after writing it. Thanks to Steve C for the comment below): if you're running CF2021 or 2018, no, do NOT update to or use Java 17 to run the update process, despite what the Security Bulletin says: "Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable".
That "where applicable" is key. To be clear, CF2021 and 2018 do NOT currently support Java 17, if indeed they ever will. You definitely do NOT want to change CF to USE Java 17 for those versions. And you don't NEED to (and I'd argue would not WANT to) use Java 17 to run the manual update process for them. Certainly the CF Admin update would NOT do that, as it would use the JVM thatC F uses.
This technote should say tell us to use a Java that corresponds to the CF version we are running, and only one that that version supports (but then they'd have to elaborate on what versions those are). They rarely document that. Instead, one has to infer it from what updates indicate. Both 2021 has only EVER supported Java 11 to this point. CF2018 first came out on Java 10, then was updated to support Java 11 (and even 12 for a time, though it was one of the short-lived Java verisons).
It's unfortunate that things can get as messy as reflected in this post (and this update). Again, for now there's nothing about the update itself to suggest you "not do it" (other than that some trying it offline are having struggles due to the lack of the zip).
Again, if you need help considering or performing the update, I am available to help via my short-term, remote consulting. But I offer these posts to give info to people who want/need to try to go it alone, as well as to serve as a heads up to folks who follow my blog or to help folks find explanations when they go searching for info. And in this case, I'm also pleading with Adobe to please consider cleaning this sort of stuff up. For some reason, this update more than others has gotten a lot of attention regarding these matters of confusion (though some points are really not "new").
For more content like this from Charlie Arehart:
Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed