Announcing ColdFusion updates released July 8 2025: p1 security update and more
As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (more than one), and some that I share below based on my experience helping people apply this and past updates. Finally, the update corrects some issues introduced in the previous updates, released in May.
In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.
I updated our servers this morning, and everytime I try and send an email now, it results in a 500 Server Error.
Stop Coldfusion
Delete the Felix cache folder (cfusion/bin/felix-cache)
Restart Coldfusion
This will resolve your issue.
I'll point out to you both (and all readers) that I DID cover this clearing of the felix-cache in my section above, "A few other topics generic to recent CF updates, which you may want to consider", where I explained that while this update
s technote does not SAY to do it, it HAS often been the solution to some problems--which not EVERYONE may necessarily experience.
And that's also why I just say to do it as a matter of good practice: as I concluded, "there's no reason NOT to".
If this specific mail issue does prove to be rather universal, I'll update the post to reflect that. For now, these comments should help (those who don't heed my own recommendation about it).
https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-21.html
bcmail-jdk15on-153.jar (is missing now)
First, good to see Adobe added that as a known issue...but it's odd that it's listed only on the technote for cf2021...not cf2025 or 2023. I have asked Adobe directly about that.
Finally Kevin, given that, and when you say 2025 is removing the required jar, what is that? FWIW, there IS an indication (in the 2025 update technote alone) that "The jar file `xlsx-streamer-2.1.0.jar` has been removed and replaced with `excel-streaming-reader-5.0.4.jar`." But I don't think that's what you're referring to, since it clearly has nothing to do with mail.
I'm thinking you're referring to something maybe you saw in your logs? What jar was it?
Let me do some exploring (or perhaps others will and will get back to us).
Here's the full error - I tried updating bcprov-jdk15on-153.jar to a newer version but that seemed to make things error even more. I ended up just rolling back the update for now.
java.lang.VerifyError:
Bad type on operand stack
Exception Details:
Location:
coldfusion/mail/mod/MailImpl.signMail(Ljavax/mail/internet/MimeMessage;Ljavax/mail/Session;)
Ljavax/mail/internet/MimeMessage; @238: invokevirtual
Reason:
Type 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' (current frame, stack[1]) is not assignable to 'org/bouncycastle/asn1/ASN1Encodable'
Current Frame:
bci: @238
flags: { }
locals: { 'coldfusion/mail/mod/MailImpl', 'javax/mail/internet/MimeMessage', 'javax/mail/Session', 'java/security/KeyStore', '[Ljava/security/cert/Certificate;', 'java/security/PrivateKey', 'org/bouncycastle/asn1/ASN1EncodableVector', 'java/security/cert/X509Certificate', 'java/lang/String', 'org/bouncycastle/asn1/cms/IssuerAndSerialNumber' }
stack: { 'org/bouncycastle/asn1/ASN1EncodableVector', 'org/bouncycastle/asn1/smime/SMIMEEncryptionKeyPreferenceAttribute' }
It now discusses the need (and details how to) delete the felix-cache (something I also warned of originally in the post.) And yes, I will also update my post to note this addition to the "known issues" in the technote)--for the sake of those who don't read the technotes...or all the comments here. :-)
And I've already updated the post about the new "known issue".
https://tracker.adobe.com/#/view/CF-4227376
The gist:
We're all aware of the expected behavior if you attempt to call a remote cfc method with required parameters without including all of the required parameters in your call. However, it appears that Adobe potentially has moved WHEN THAT VALIDATION OCCURS in the request process. It used to occur after onRequestStart() (verifiable with my aforementioned sample app) which would allow you to do some query_string/url scope manipulation prior to that validation. Now? Not so.