Announcing ColdFusion updates released Sep 10 2024: P3 security update
Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes in those updates from March and June of this year.
And there's still more to consider. Note that if somehow "it's all too much" for you, I can help directly and likely VERY quickly. See my discussion at the bottom here. Otherwise, for the details, read on.
First, apologies to my readers who might rely on my posting an entry announcing each update. I try to do it the day they come out, but I was swamped with many things this week.
Next, besides simply announcing the update, of course I like to help both with links to additional resources for more information, and I also like to draw out some points that might be missed in those resources, or any issues that I have experienced on my own or heard about from others. (So far, this update seems to gone smoothly--at least if you were on the immediately previous one. As I will discuss below, if you're coming from previous ones, there are issues to be aware of.)
Here are the topic areas covered below:
- Finding (and finding more about) the update
- What to consider, with regard to the 3 previous CF updates (possible breaking changes)
- As with all CF updates, possible need to upgrade web server connector
- Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
- On getting help with the update(s)
Finding (and finding more about) the update
While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically: NOW LIVE! Adobe ColdFusion 2023 and 2021 September 2024 security updatesAnd that points to the (very important) technote for each version's update, as well to the Adobe Product Security Bulletin (APSB) related to it, with (just a little) more about security issues identified and addressed:
- ColdFusion (2023 release) Update 10
- ColdFusion (2021 release) Update 16
- Security updates available for Adobe ColdFusion | APSB24-14
What to consider, with regard to the 3 previous CF updates (possible breaking changes)
This has been quite a year for CF updates. There was one in March, then June, then August, and now this in September (CF2021 updates 13, 14, 15, and now 16; and CF2023 updates 7, 8, 9 and now 10.) The updates from March and June introduced potential breaking changes. Then as for August's CF2021 update 15, that had a bug in its update mechanism. Let me elaborate a bit on these.
So first, if you are jumping to this update from CF2021 update 12 or earlier, or CF2023 update 6 or earlier (or even CF2021 update 13 or CF2023 update 7), or if you just installed CF and have no updates and are jumping to this as "the latest available update"), it's important that you be aware of the changes introduced in those March and June updates. I have 4 posts on that. Sorry it's a lot of info, but I am trying to help you make the best decisions:
- Announcing ColdFusion updates released Mar 12 2024, possible breaking change, solutions
- Announcing ColdFusion updates released June 11 2024: another possible breaking change
- Follow-up on March 2024 CF update: "patch" to log "implicit scope searches" that would fail
- Follow-up on June 2024 CF update: more on change of default algorithm from CFMX_COMPAT
Then second, if you are on CF2021 specifically and you might install update 15 RIGHT before applying this update 16 (you don't need to do that, but many do), then you will likely run hit the issue I discuss here, where I also offer the simple solution. (Note that you can apply the same solution now, if you applied update 16 and never even noticed the problem that happened after update 15.):
As with all CF updates, possible need to upgrade web server connector
Don't miss also that if you may be applying this CF update by skipping over others, you MAY need to upgrade the web server connector for CF (if you use CF with IIS or Apache). The technote offers a table at the bottom reporting which updates did require such connector updating.
Beware also that someone may have forgotten to update the connector after applying some CF update in the past. Sadly, Adobe doesn't provide version info in that table, to help you judge how updated your connector is. Basically you'd look at the date of your connector's isapi_redirect.dll (for IIS) or mod_jk.so (for Apache), and compare that to the date that the CF update was released. Those connector files get updated just before the update is released, and regardless of when you implement the connector, the date of those files shows the date Adobe released them--not the date you created or last updated the connector.
Finally, note that the connector table at the bottom of the technote refers to "recreating" the connector (which implies removing and re-adding it) , but since cf2016 we've been able to "upgrade" the connector using the wsconfig UI (or command line). And I have a blog post with more on that here.
Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
There was a problem with the updates in mid-year 2023, because of a JVM change in mid-year 2023. I offer this for any who may be updating to this latest update but are coming from such an old CF update, and it may affect those who install CF2023 or 2021 and just jump to this latest update--but they first update the JVM within CF. Read on for some context.If you apply the update in the CF Admin and find that CF starts but the admin and your code fail (such as with a 500 error, or perhaps in more detail starting with "java.lang.NullPointerException" or other errant behaviors), this may be due to a problem I had written back in October 2023. The issue happened if you had updated the java underlying CF to a version released in July 2023 or later (that's Java update 11.0.20 or later for CF2021, or Java 17.0.8 or later for CF2023).
I explained in that Oct post how the solution was how you would need to run the CF update from the command line, adding a needed new JVM argument (offered by Oracle). There is no need to "uninstall" the current update, since it failed. Just do this in running the update again.
I shared then how Adobe had planned to resolve the problem with "the next update"--and that was CF2021 update 11 and CF2023 update 5. So if you're on those (or later), this won't be a problem even if you HAVE updated the Java that CF uses. (This will make more sense if you read the post.)
You can probably ignore the discussion of the -Djdk.serialFilter "ColdFusion JDK Flag"
I haven't mentioned this in previous announcements of CF updates, but I see questions about it occasionally so I think it bears touching on it here. In both the CF update technotes AND the APSB pages, there is always a section at the bottom labeled "ColdFusion JDK flag requirements" or "ColdFusion JDK Requirement", respectively.
Many people presume it must be talking to them: they are on CF, and they know CF runs on Java. But in fact, few folks need to worry about these flags. They are NOT for you if you are running CF they way nearly everyone does, either by installing it via the CF installer or perhaps using the "zip" installation approach (new since CF2021--and also not really suited for everyone).
Instead, these "jdk flags" are offered by Adobe SOLELY for those who deploy CF on a Java application server. Again, many savvy CF admins/developers will still think it applies to them, because they know that those traditional CF install options DO deploy CF atop Tomcat, which is a Java application server. And Tomcat is even listed in the discussion of the "flags", they'd note!
But to be more specific, Adobe is offering these flags for those who are themselves deploying CF via a WAR or EAR file. In that case, whoever runs the Java application server would control putting any needed "jdk flags" into the JVM args for that app server.
That's my understanding, at least. I'd welcome any correction or clarification. Indeed, it would be nice if Adobe would make this point more clear, so that fewer folks think those args are for them. (It's also not clear to me if it's a "problem" if you add the args when you don't NEED to.) Finally, I may well break this and the previous couple of sections into a separate post to point to on each of my CF update announcements. :-) These posts are already long enough!
On getting help with the update(s)
Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly, getting you back on your feet. More at carehart.org/consulting.
Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Then I list several of the online CF communities here.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
I would like to thank you thorough details provided. That's been helping us to better understand the product (CF), strengths and limitations. I would like to point Adobe's position on fixing binaries vulnerabilities in the range of critical and highs. As CF customers we don't see a clear roadmap addressing those as the time goes by and the end life cycle of CF 2021 is approaching fast. We are eager to see frequent updates around security in the next coming months. Best regards,
I just updated my lower environments from Update 10 to Update 16 (I know, I'm slow!). Unfortunately this has resulted in my RESTful services no longer working. When I go into the Admin and try to refresh it, I get this:
Error registering REST service. Please ensure that you have entered a proper mapping and path.
Application [service mapping] could not be initialized.
Reason: null
I did add -Dcoldfusion.searchimplicitscopes=true to the JVM because I have very old code that do not scope and it would take me a while to fix them (I will -- I just can't do it right now).
Any advice would be much appreciated!
And when you lament that the "end life cycle of CF 2021 is approaching fast" (Nov 2025), are you confirming whether the things that concern you may have been taken care of in CF2023 (or any of the updates to either CF2023 or 2021)?
And then what if the issues you raise are addressed by CF2025? Is that somehow not an option for you? And if your point would be that "you can't know, because there's no roadmap"...well, I don't work for Adobe and so can't make them create one.
Indeed, in that you " are eager to see frequent updates around security in the next coming months", asking for that here is a bit like howling in the wilderness. Instead, you should raise this issue to Adobe.
If you want to raise it them directly, email either [email protected] or [email protected] (the latter may be better suited to your concerns here).
Otherwise, if you wanted to raise it to them publicly (so that others can see and perhaps chime in or at least benefit), you can either create a ticket at tracker.adobe.com, or open a discussion at the Adobe CF community forum (https://community.ad...).
But given the focus of this post, I would assert that further discussion of this general interest question here would be getting off-topic (and may not reach nearly the audience that the other options would).
https://community.ad...
Adding the application.cfc worked. Glad the solution was simple!