[Looking for Charlie's main web site?]

Announcing ColdFusion updates released Sep 9 2025: p1 security update

An update for ColdFusion has been released, Sep 9 2025, for each of cf2025 (update 4), cf2023 (update 16) and cf2021 (update 22). In brief, it addresses a single P1 (Priority 1, "Critical") security vulnerabilities, along with an indicated update to the "feed" package (used by cffeed). Note that Adobe is also reporting currently that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates." More below.

As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (there are more than one), and some info that I share below based on my experience helping people apply this and past updates.

In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.

[....Continue Reading....]

Comments
Scenario: CF2023 following the manual hotfix instructions provided by Vikram (https://coldfusion.adobe.com/2024/09/a-simple-way-to-install-coldfusion-updates-manually-in-offline-mode/).

Is anyone else in that scenario (or, I guess, any scenario) seeing the infamous "Cannot find implementation class coldfusion.tagext.mail.MailTag for the mail tag" error after applying the hotfix?

I've uninstalled/re-installed the 'mail' package; I've cleared the felix-cache 3 different times. But, I can't get rid of the error.

Any other suggestions? Thank you.
# Posted By Matt | 9/10/25 7:55 AM
Resolved my issue. The 'felixclassloader-2023.0.05.330608.jar' is missing from the CF2023u16 hotfix bundles folder. That will cause the problem I mentioned above; it was present in the CF2023u15 hotfix.
# Posted By Matt | 9/10/25 8:25 AM
Thanks for sharing, Matt. First I want to say it's not a universal problem. I've installed the update on multiple machines without that error, and one that had a similar but different one...but it it in fact had more errors, which were shown during the startup in the coldfusion-out.log. See my discussion above about the importance of observing that during cf startup after the update (and two places in the update log to check out also after each update).

In my case, several more files were reported "missing" in that log during the startup. And I found them listed as several "removed" by the update in the hotfixfilelist.log, located next to the update log.

And like you I copied the ones listed as missing back into place. The update had saved them into its backup/bundles folder. I copied those listed as missing back into cf's bundles/repo folder, and I restarted CF. The errors were gone and tests worked.

I want to repeat: this was NOT needed in other updates of that same version, each configured the same way and updated the same way (in my case using the admin, not the offline manual update you mention).

So no, I wasn't doing it as you were, but my point is that one had the problem I saw but the rest did not. So it just supports again that it's not clear that even even everyone who updates the way you did will have the problem you did.

Still, thanks for sharing your observation. If you have your logs and could check what I did, it might be interesting to hear what you'd see.

I think the most interesting thing will be to find what CAUSES these errors, when they may or may not happen on what seem at least to be identically configured cf instances. Clearly SOMETHING is different.

But at least you and I have offered two scenarios, with solutions that may help others. I know some people don't care to understand WHY problems might happen: they just want the solution. As always, I hope to offer both. :-)

I'll be trying the approach you followed, to see if and when I may get that problem you did. Hope all this may help someone. Thanks again for adding to the conversation--and the research.
Copyright ©2025 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the HTML in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting