[Looking for Charlie's main web site?]

Announcing ColdFusion updates released Dec 23 2024: p1 security update

An update for ColdFusion has been released today for both cf2023 (update 12) and cf2021 (update 18). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update (CVSS Base Score of 7.4 out of 10).

In this post, I share the details about the update (from Adobe and from others, including pointing to some discussions I've already started online about the update). Note also that while you may read that the update is related to the CF PMT feature, beware presuming it therefore "doesn't apply to you" because you "don't use it". See the next section for more.

Of course, this is terrible timing for an update, but it is what it is. I can report I have installed both updates on multiple machines and operating systems without incident. And I may do a follow-up post on the update as I/we all learn more.

For more details, read on.

Following are the topics discussed in this post:

A key point about this security update: its relation to the PMT--and why it may affect you unexpectedly

Note that if you read the update technotes (linked to below), you will see that this update centers on matters related to the Adobe PMT (Performance Monitoring Toolset). Don't let that diminish your attention: even if you "don't USE the PMT", you may still be vulnerable and should apply the update.

What matters instead is whether you have the pmtagent package/module installed within your CF instance. You can determine that by viewing the CF Admin "Package Manager" page, or using the "cfpm list" command (for those familiar with the cfpm tool, added in CF2021, found in the cfusion/bin folder or [instance]/bin). To be clear, if you have it installed, then even if you "haven't installed the PMT" or "don't have the PMT service running on this or any machine", or "don't have the PMT monitoring this CF instance", you are still impacted and therefore should install the update ASAP.

Of course, another option would to uninstall the pmtagent module--if you know you don't use it. (Just beware that someone could add it back.) You can remove it from the CF Admin "package manager" page, or via the "cfpm uninstall pmtagent" command.

BTW, note that like with the removal of many CF packages/modules, removing this pmtagent does NOT require a restart of CF. So for those who are stressed about not wanting to apply the update mid-day o rmid-week (as that WILL require a CF restart), at least you can know that you can mitigate this issue ASAP by removing the pmtagent package--again assuming you don't use the PMT/your CF instance is not being monitored by a PMT. (And if it IS, and you remove this, it just means that the monitoring of the instance by the PMT would stop. There should be no negative consequence to your CF instance itself, if you remove the pmtagent while it IS being monitored by a running PMT service.)

And if you may think "I never installed it", just note that various things presume to "install all packages", from the the full/gui CF installer, to the CF Admin Package Manager "install all" button, and the available "cfpm install all" command (which some folks suggest without blinking in trying to solve other problems). Even one who installs CF using its available zip install approach (new in CF2021) would then run its related cfinstall script and could tell that to install "all" modules. So you may "have the pmtagent installed" and not even realize it.

Finally, those who don't have the pmtagent module should still apply the update at some point. It's not entirely clear if this is the ONLY aspect of this CF update; and of course, this update would also be incorporated into any future CF updates that are released, so it's not like you can "skip it" somehow because you "don't use the PMT". Just get the update implemented, like any other.

Finding (and finding more about) the update

While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically: NOW LIVE! Adobe ColdFusion 2023 and 2021 December 2024 security updates.

And that points to the (very important) technote for each version's update:

You should definitely read those to learn more, as they discuss more about the relationship to the PMT, including several questions they anticipate, with their answers. (Indeed, it's unfortunate that the announcement on the forum still does NOT mention how this "critical vulnerability" could happen only "if the pmtagent package is installed on your ColdFusion server." (For more, see my comment about this from this morning on that forum thread.)

Finally note also that Adobe has posted a blog entry in the CF portal about the update (with essentially the same info): RELEASED- ColdFusion 2023 and 2021 December 23rd, 2024 Security Updates. (There tends to be more discussion in the forum announcement than the blog post, though not always.)

Some other resources to consider, discussing this update

Because this is a security update, it's already generated considerable discussion today. I want to point you to a few resources for your consideration, especially from Brian Reilly and Pete Freitag, who are stalwart security mavens in the CF Community:

A few topics related to CF updates that you may want to consider

Separate from the details, there are a few other matters that may interest you, which I have covered in my previous blog posts on the updates. What I said in them applies to this one as well, so I'd just point you to these last few topics in my post about the previous update in October:

  • What to consider, with regard to the 4 previous CF updates (possible breaking changes)
  • As with all CF updates, possible need to upgrade web server connector
  • Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
  • You can probably ignore the discussion of the -Djdk.serialFilter "ColdFusion JDK Flag

My discussion of those points starts at this point in that post from Oct.

I may soon break these points out into their own post (so that I can more easily point out the issues in my posts about other CF updates just before and just after this one). If I do, I will update this section to point to that.

Finally, if you are not using CF2018, you can skip the next section, proceeding to the last one, "On getting help with the update(s)".

What about those on CF2018? No update, but consider removing pmt support

[Updated Jan 11, 2025]

Before wrapping up, I want to put out for consideration something that I expect eventually will be asked: "what about those on CF2018? Since the PMT was introduced with CF2018, might they be vulnerable as well?" The answer is "yes".

1) That's not discussed in the technotes or forum thread...because Adobe support for CF2018 ended in July 2023. As such, they don't offer even security updates for that and any earlier releases they no longer support. They also don't tend to acknowledge such earlier releases at all, especially in such security updates as this, which leaves one wondering whether those on CF2018 ARE impacted by this issue.

I don't know if we'll ever be told that by them for certain (or whether someone will determine it). But given that this version DOES support the PMT, it should be --and like I've said above, it does really matter whether you are USING the PMT, only whether it supports being monitored by it (and all CF versions since CF2018 do).

2) More specifically, it's about the fact that the instance supports calls into a url starting with "/pms". (The fact that this vuln leverages that URL is discussed some in Brian Reilly's post linked to above.) And to be clear, support of that URL is enabled by default in CF2018 and above, by way of a "servlet-mapping". More on disabling that in a moment.

Given the severity of this vuln, we can conclude that if you are still using CF2018 (though you really shouldn't be!), you should remove support for calls into CF from that /pms url.

[When I first wrote this post on the day of the update, 12/23/24, I mistakenly suggested that CF2018 users should "just remove the pmtagent package", since Adobe would not be updating CF2018. But of course CF2018 has no "package" mgt feature like CF2021 added, and therefore there is no "agent" to remove so easily. I've corrected this section to better clarify things, especially below. Thanks to commenter "Bill" for pointing this out to me in a comment yesterday.]

3) So how WOULD one running CF2018 disable their instance's support of that /pms servlet-mapping? The solution is to comment out the /pms servlet-mapping XML element in the web.xml file, which is found in the cfusion/wwwroot/WEB-INF folder (and in any instance folder that's a sibling to cfusion, for those running multiple instances).

(FWIW, the steps are documented a bit in the CF 2018 Lockdown Guide, still available online here: https://www.adobe.com/content/dam/cc/us/en/products/coldfusion/pdfs/cf-starter-kits/coldfusion-2018-lockdown-guide.pdf, in the section, "4.11 Disable Unused Servlet Mappings"--which is about considering what servlet mappings you MIGHT not use, which can be commented out to prevent them remaining unexpectedly accessible.)

And the specific lines in the file that are to be commented out (if not already) are these. Note I am showing them commented out here, and note you must use html/xml comments (using 2 dashes) and NOT CFML comments (3 dashes, which would keep CF from starting!):

<!--
<servlet-mapping id="coldfusion_mapping_pms">
   <servlet-name>PMSGenericServlet</servlet-name>
   <url-pattern>/pms</url-pattern>
</servlet-mapping>
-->

Of course, save a copy of the file before making any modifications. Then restart CF. If it doesn't start, or the admin doesn't work, revert your changes.

But I've confirmed that commenting out those lines allows CF to run as normal but just can no longer respond to /pms calls (like http://luther:8500/pms, assuming your CF2018 is listening on port 8500). Such /pms requests now get a 404 error. Previously, that would a 403 (for not passing in the correct arguments and request method it expected).

4) Of course, if you may still be using CF2018 and DO have the CF2018 PMT service running somewhere and monitoring your CF2018 instance, then disabling this will stop that monitoring. This is where you have to choose between the potential security risk and having the PMT running. Again, Adobe will NOT be updating the PMT support within CF the way they did in this update by their update of the PMTAgent for CF2021 and above.

(As for those folks in the shocking situation of still running on CF2016--well, you can ignore this whole matter, as it did not support the PMT at all. But there are far more significant vulnerabilities that have been addressed in the several CF security updates released since CF2016 stopped getting support in 2021--nearly 5 years ago.)

5) I may break this section out into its own post. It's gotten as long as the rest of this one, but I wanted to get this info out ASAP once I confirmed things.

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly, getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Then I list several of the online CF communities here.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Thanks for the heads up Charlie! Better today than tomorrow. I can also confirm that I have updated on more than 1 server and smooth so far.
Thx, Roberto.
What is the process to check for and remove the pmtagent in CF2018 since the cfpm tool is not available in this version?
# Posted By Bill | 1/10/25 3:27 PM
Agh, you're right, Bill. My bad. There is no package manager in cf2018 or earlier, so "removal" of the pmt capability within a cf instance that way is not an option. (It was late the night I was writing that post, after dealing with the update and its ramifications during that day it was released.)

Sadly, since cf2018 is no longer supported, Adobe has not documented how to deal with this issue for that version. I have an idea, though.

There should be a "servlet mapping" for a "/pms" url, and I bet if we just commented that out it should be an effective mitigation. It seems it's the calls made by bad guys to that url which allows them to leverage a vuln.

The file is web.xml, in the cfusion/wwwroot/WEB-INF folder (and in any instance folder that's a sibling to cfusion, for those running multiple instances). Save a copy before editing the file, and be careful to use html/xml comments (two dashes) rather than cfml comments (three dashes), to surround the lines related to that pms servlet mapping.

I'm writing from a phone. I hope to have time this weekend to dig in, but in the meantime (or if I lose track) I wanted to get this out there.

I would want to update the post to remove my mistaken suggestion, and the I'd replace with these steps in some more detail.

Let me know if that works for you, if you confirm before info.
I can confirm now I had it right (in my last comment): the solution is to comment out the /pms servlet-mapping XML element in the web.xml file I proposed. I have updated the blog post above, in the section on CF2018, with more detail. (I may eventually move it out to a new post.)

Thanks, again, Bill.
Copyright ©2025 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting