[Looking for Charlie's main web site?]

Announcing CF update released Jul 14 2023 - a second priority 1 security update in one week

Posted At : July 14, 2023 11:12 PM | Posted By : Charlie Arehart
Related Categories: updates, cf2021, admin, cf2023, cf2018
Comments: (2)

Just days after a P1 security update released on Jul 11, Adobe has released yet another on Jul 14 (CF2023 update 2, CF2021 update 8, and CF2018 update 18). (I don't recall such a short gap between updates before, so yes: it's unusual.)

For more on the update, and some additional thoughts, read on.

[....Continue Reading....]

Comments (2)

Comments

[Add Comment]

Rapid7 indicates that the recent CF updates were for a zero day. Their site also includes information about how the issues was exploited which will be useful when you review your logs to see if you were successfully attacked. Here is a link to their blog post https://www.rapid7.c...

# Posted By Vincent Krist | 7/18/23 11:08 AM

Vincent, yep, I was aware of that article (learned of it earlier today). Thanks for sharing the link for folks.

I will note that while that post indicates that "There is currently no mitigation", that may not be the final/complete answer. Note how it refers to the _cfclient querystring, and notice that in my first post last week (on the Jul 11 CF update), I did point out how my March blog post on the previous CF update discussed ways to BLOCK ALL REQUESTS using that _cfclient querystring. I also elaborate there on what it's about, how one can determine if they may have any legit use of it (most do not), and much more. See https://www.carehart...

As I've said elsewhere, it's just not clear how many of the recently closed vulns DO work based on the _cfclient querystring. That post is about all we have to go on, as I've not seen any others. While those on cf2018 and above can apply these fixes to address what Adobe has found, it's just not clear (for now) what those on cf2016 can or should do, other than block requests with that querystring.

# Posted By charlie arehart | 7/18/23 9:33 PM

[Add Comment]

Home

Search

Subscribe

Enter your email address to subscribe to this blog.

Recent Entries

Announcing updates of Apr 21, 2026 for Java 26, 25, 21, 17, 11, and 8 - thoughts and resources

Announcing ColdFusion updates released Apr 14 2026 - p1 security update - thoughts and resources

Announcing Java updates of Jan 20, 2026 for 8, 11, 17, 21, and 25 - thoughts and resources

Announcing ColdFusion updates released Jan 13 2026 - p1 security update - thoughts and resources

One explanation and solution for when applying CF updates uninstalls new packages unexpectedly

Recent Comments

Announcing updates of Apr 21, 2026 for Java 26, 25, 21, 17, 11, and 8 - thoughts and resources
Charlie Arehart said: Thanks for the kind regards. As for your issue, it's helpful that you've confirmed the pro ... [more]

Announcing updates of Apr 21, 2026 for Java 26, 25, 21, 17, 11, and 8 - thoughts and resources
Himanshu Shekhar said: Thank you kindly for writing back. Your help to the community is very much appreciated as always.&#x ... [more]

Announcing updates of Apr 21, 2026 for Java 26, 25, 21, 17, 11, and 8 - thoughts and resources
Charlie Arehart said: Himanshu, I will say first that no, this doesn't seem the right place--since you say that the i ... [more]

Announcing updates of Apr 21, 2026 for Java 26, 25, 21, 17, 11, and 8 - thoughts and resources
Himanshu Shekhar said: This might be a bit unrelated blog article to post my comment under - so please forgive me in advanc ... [more]

Four free tools I (nearly) always install on a new machine and use everyday
Charlie Arehart said: Thanks for the agreement and the kind regards.

Calendar

Entries by year

2026 (4)
2025 (19)
2024 (28)

2023

December (2)
November (1)
October (2)
August (1)
July (11)
May (3)
April (4)
March (1)
February (3)
January (5)

2022 (20)
2021 (18)
2020 (17)
2019 (23)
2018 (15)
2017 (14)
2016 (17)
2015 (10)
2014 (19)
2013 (18)
2012 (32)
2011 (21)
2010 (30)
2009 (52)
2008 (95)
2007 (94)
2006 (94)

RSS

Contact

About

charlie portrait

A veteran server troubleshooter who's worked in enterprise IT for more than three decades, Charlie Arehart (@carehart) is a longtime contributor to the community who as an independent consultant provides remote, short-term, and even on-demand troubleshooting/tuning assistance for organizations of all sizes and experience levels (carehart.org/consulting).

You can reach Charlie by email at charlie (at) carehart.org, or you can follow him on twitter/X, @carehart. This blog is one resource among several within https://www.carehart.org/, where you can also find out more about him.

In fact, if you'd like his help, he's available for consulting for as little as 15 minutes.

Appreciate any of the resources I've offered?

Archives By Subject

admin (109) [RSS]
apache (11) [RSS]
API Manager (4) [RSS]
basics (8) [RSS]
blogging (14) [RSS]
boxlang (1) [RSS]
bug reports (1) [RSS]
business (2) [RSS]
carehart classics (26) [RSS]
CF Server Monitor (26) [RSS]
cf10 (60) [RSS]
cf11 (46) [RSS]
cf2016 (61) [RSS]
CF2016 Intro Series (9) [RSS]
cf2018 (60) [RSS]
cf2021 (68) [RSS]
cf2023 (49) [RSS]
cf2025 (14) [RSS]
cf411 series (10) [RSS]
cf8 (52) [RSS]
cf9 (34) [RSS]
cf911 (54) [RSS]
CFBuilder (20) [RSS]
CFFundamentals (6) [RSS]
cfml (35) [RSS]
cfmx (8) [RSS]
cfmythbusters (7) [RSS]
commandbox (4) [RSS]
community (30) [RSS]
connector (8) [RSS]
contributions (13) [RSS]
debugging (14) [RSS]
derby (5) [RSS]
docker (8) [RSS]
editors (10) [RSS]
evangelism (5) [RSS]
fusionreactor (63) [RSS]
general (59) [RSS]
hidden gems (12) [RSS]
homesite+ (3) [RSS]
hotfix (21) [RSS]
IIS (13) [RSS]
installation (9) [RSS]
introduction (2) [RSS]
java (51) [RSS]
javascript (2) [RSS]
jdbc (10) [RSS]
keyboard shortcuts (5) [RSS]
licensing (8) [RSS]
logs (8) [RSS]
lucee (21) [RSS]
migrating (2) [RSS]
monitoring (42) [RSS]
news (22) [RSS]
orm (2) [RSS]
performance (15) [RSS]
personal (3) [RSS]
PMT (6) [RSS]
podcasts (5) [RSS]
presentations (34) [RSS]
railo (10) [RSS]
redis (2) [RSS]
resource lists (26) [RSS]
security (36) [RSS]
seefusion (11) [RSS]
sql server (14) [RSS]
tips (22) [RSS]
tomcat (9) [RSS]
tools (44) [RSS]
training (8) [RSS]
troubleshooting (76) [RSS]
tuning (14) [RSS]
ugtv (11) [RSS]
updates (76) [RSS]
web services (8) [RSS]
webserver (5) [RSS]
writing (20) [RSS]
zeus (3) [RSS]

Upcoming/Recent Conference Appearances

Adobe CF Summit
Jun 2026

Into The Box
May 2026

CFCamp
May 2025

Adobe CF Summit East
Mar 2025

Copyright ©2026 Charlie Arehart

BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the HTML in this page?)

Managed Hosting Services provided by