[Looking for Charlie's main web site?]

Announcing ColdFusion updates released Sep 10 2024: P3 security update

Though the news is a couple of days old, I want to share with my readers that an update for ColdFusion has been released Tuesday, Sep 10, for both cf2023 (update 10) and and cf2021 (update 16). In brief, the "only" change is to address a security vulnerability, which is listed in the associated ASPB (security bulletin) for the update as a "critical" severity (CVSS Base Score of 9.8 out of 10)...though curiously that also lists it as being merely a "moderate" priority (3 out of 3).

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes in those updates from March and June of this year.

And there's still more to consider. Note that if somehow "it's all too much" for you, I can help directly and likely VERY quickly. See my discussion at the bottom here. Otherwise, for the details, read on.

First, apologies to my readers who might rely on my posting an entry announcing each update. I try to do it the day they come out, but I was swamped with many things this week.

Next, besides simply announcing the update, of course I like to help both with links to additional resources for more information, and I also like to draw out some points that might be missed in those resources, or any issues that I have experienced on my own or heard about from others. (So far, this update seems to gone smoothly--at least if you were on the immediately previous one. As I will discuss below, if you're coming from previous ones, there are issues to be aware of.)

Here are the topic areas covered below:

Finding (and finding more about) the update

While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically: NOW LIVE! Adobe ColdFusion 2023 and 2021 September 2024 security updates

And that points to the (very important) technote for each version's update, as well to the Adobe Product Security Bulletin (APSB) related to it, with (just a little) more about security issues identified and addressed:

Given that the update includes security fixes, it would seem in your interest to get it applied ASAP. (I have no further info about the vulns to share than what is in those linked pages above, and I don't yet have news of any challenges anyone may have had.) I can report I installed both updates without incident.

What to consider, with regard to the 3 previous CF updates (possible breaking changes)

This has been quite a year for CF updates. There was one in March, then June, then August, and now this in September (CF2021 updates 13, 14, 15, and now 16; and CF2023 updates 7, 8, 9 and now 10.) The updates from March and June introduced potential breaking changes. Then as for August's CF2021 update 15, that had a bug in its update mechanism. Let me elaborate a bit on these.

So first, if you are jumping to this update from CF2021 update 12 or earlier, or CF2023 update 6 or earlier (or even CF2021 update 13 or CF2023 update 7), or if you just installed CF and have no updates and are jumping to this as "the latest available update"), it's important that you be aware of the changes introduced in those March and June updates. I have 4 posts on that. Sorry it's a lot of info, but I am trying to help you make the best decisions:

Note as well that as for the "patch" discussed in the post in the 3rd bullet, I discuss there how if you apply a later CF update, the patch is removed and you need to add it back. You will need to do that after applying this September update.

Then second, if you are on CF2021 specifically and you might install update 15 RIGHT before applying this update 16 (you don't need to do that, but many do), then you will likely run hit the issue I discuss here, where I also offer the simple solution. (Note that you can apply the same solution now, if you applied update 16 and never even noticed the problem that happened after update 15.):

As with all CF updates, possible need to upgrade web server connector

Don't miss also that if you may be applying this CF update by skipping over others, you MAY need to upgrade the web server connector for CF (if you use CF with IIS or Apache). The technote offers a table at the bottom reporting which updates did require such connector updating.

Beware also that someone may have forgotten to update the connector after applying some CF update in the past. Sadly, Adobe doesn't provide version info in that table, to help you judge how updated your connector is. Basically you'd look at the date of your connector's isapi_redirect.dll (for IIS) or mod_jk.so (for Apache), and compare that to the date that the CF update was released. Those connector files get updated just before the update is released, and regardless of when you implement the connector, the date of those files shows the date Adobe released them--not the date you created or last updated the connector.

Finally, note that the connector table at the bottom of the technote refers to "recreating" the connector (which implies removing and re-adding it) , but since cf2016 we've been able to "upgrade" the connector using the wsconfig UI (or command line). And I have a blog post with more on that here.

Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier

There was a problem with the updates in mid-year 2023, because of a JVM change in mid-year 2023. I offer this for any who may be updating to this latest update but are coming from such an old CF update, and it may affect those who install CF2023 or 2021 and just jump to this latest update--but they first update the JVM within CF. Read on for some context.

If you apply the update in the CF Admin and find that CF starts but the admin and your code fail (such as with a 500 error, or perhaps in more detail starting with "java.lang.NullPointerException" or other errant behaviors), this may be due to a problem I had written back in October 2023. The issue happened if you had updated the java underlying CF to a version released in July 2023 or later (that's Java update 11.0.20 or later for CF2021, or Java 17.0.8 or later for CF2023).

I explained in that Oct post how the solution was how you would need to run the CF update from the command line, adding a needed new JVM argument (offered by Oracle). There is no need to "uninstall" the current update, since it failed. Just do this in running the update again.

I shared then how Adobe had planned to resolve the problem with "the next update"--and that was CF2021 update 11 and CF2023 update 5. So if you're on those (or later), this won't be a problem even if you HAVE updated the Java that CF uses. (This will make more sense if you read the post.)

You can probably ignore the discussion of the -Djdk.serialFilter "ColdFusion JDK Flag"

I haven't mentioned this in previous announcements of CF updates, but I see questions about it occasionally so I think it bears touching on it here. In both the CF update technotes AND the APSB pages, there is always a section at the bottom labeled "ColdFusion JDK flag requirements" or "ColdFusion JDK Requirement", respectively.

Many people presume it must be talking to them: they are on CF, and they know CF runs on Java. But in fact, few folks need to worry about these flags. They are NOT for you if you are running CF they way nearly everyone does, either by installing it via the CF installer or perhaps using the "zip" installation approach (new since CF2021--and also not really suited for everyone).

Instead, these "jdk flags" are offered by Adobe SOLELY for those who deploy CF on a Java application server. Again, many savvy CF admins/developers will still think it applies to them, because they know that those traditional CF install options DO deploy CF atop Tomcat, which is a Java application server. And Tomcat is even listed in the discussion of the "flags", they'd note!

But to be more specific, Adobe is offering these flags for those who are themselves deploying CF via a WAR or EAR file. In that case, whoever runs the Java application server would control putting any needed "jdk flags" into the JVM args for that app server.

That's my understanding, at least. I'd welcome any correction or clarification. Indeed, it would be nice if Adobe would make this point more clear, so that fewer folks think those args are for them. (It's also not clear to me if it's a "problem" if you add the args when you don't NEED to.) Finally, I may well break this and the previous couple of sections into a separate post to point to on each of my CF update announcements. :-) These posts are already long enough!

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly, getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Then I list several of the online CF communities here.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Hello Charlie,
I would like to thank you thorough details provided. That's been helping us to better understand the product (CF), strengths and limitations. I would like to point Adobe's position on fixing binaries vulnerabilities in the range of critical and highs. As CF customers we don't see a clear roadmap addressing those as the time goes by and the end life cycle of CF 2021 is approaching fast. We are eager to see frequent updates around security in the next coming months. Best regards,
Hi Charlie,

I just updated my lower environments from Update 10 to Update 16 (I know, I'm slow!). Unfortunately this has resulted in my RESTful services no longer working. When I go into the Admin and try to refresh it, I get this:

Error registering REST service. Please ensure that you have entered a proper mapping and path.
Application [service mapping] could not be initialized.
Reason: null

I did add -Dcoldfusion.searchimplicitscopes=true to the JVM because I have very old code that do not scope and it would take me a while to fix them (I will -- I just can't do it right now).

Any advice would be much appreciated!
# Posted By Tom | 9/17/24 8:35 AM
Hugo, glad to have helped. But I do want to press you on the rest. First, when you say that you "would like to point Adobe's position on fixing binaries vulnerabilities in the range of critical and highs", can you elaborate on what you mean by "binaries vulnerabilities"?

And when you lament that the "end life cycle of CF 2021 is approaching fast" (Nov 2025), are you confirming whether the things that concern you may have been taken care of in CF2023 (or any of the updates to either CF2023 or 2021)?

And then what if the issues you raise are addressed by CF2025? Is that somehow not an option for you? And if your point would be that "you can't know, because there's no roadmap"...well, I don't work for Adobe and so can't make them create one.

Indeed, in that you " are eager to see frequent updates around security in the next coming months", asking for that here is a bit like howling in the wilderness. Instead, you should raise this issue to Adobe.

If you want to raise it them directly, email either [email protected] or [email protected] (the latter may be better suited to your concerns here).

Otherwise, if you wanted to raise it to them publicly (so that others can see and perhaps chime in or at least benefit), you can either create a ticket at tracker.adobe.com, or open a discussion at the Adobe CF community forum (https://community.ad...).

But given the focus of this post, I would assert that further discussion of this general interest question here would be getting off-topic (and may not reach nearly the audience that the other options would).
OK - found this:

https://community.ad...

Adding the application.cfc worked. Glad the solution was simple!
# Posted By Tom | 9/17/24 1:23 PM
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting