Update (Nov 20, 2019): Adobe announced today that they'd come out with a new set of updates to fix the problems in the Sep 24 updates. Today's updates address the various issues reported below about the Sept update. It's important to proceed with performing the updates, for the benefit of the security updates as I discussed below back in Sept.
I shared here Tuesday the news that Adobe had announced there were new updates for CF2018 and 2016, released that day.
But as has happened every few releases, a lot of folks are reporting various problems, enough for me to say that folks may want to hold off on applying these updates, which I realize is a risky proposition since the update includes security fixes. More on that below.
Update Nov 13: Adobe has released a preview of new updates, meant to address the issues in these Sep 2019 updates. For more, see my post: https://www.carehart.org/blog/client/index.cfm/2019/11/13/preview_available_for_new_coldfusion_updates//
Update Sep 27: Adobe has commented below (Sep 27) saying that there are now fixes available for the bugs reported (but that you must request each directly from them, and that an update refresh is not planned). See Vamsee's comment below, and my reply to that (asking for a bit more detail). For now, I have added any links I've seen to fixes for any of these.
Of course, if you need something in the update and want to try it, just be sure to do ample testing, and check out some of the problems people are reporting below. And beware that some issues may only happen under load, so you may not find them in your own testing.
Otherwise, let's see if Adobe may either "refresh" the update or may well "pull" it, as they did with the Feb 2019 updates for CF 2016 and 11, when they replaced those with another a week later (see the "Note" about it at the top of that page).
For more, read on.
If you may want to hear what sort of problems folks are reporting with the Sep 24 updates, you can see them in the comments of the Adobe blog post, and in comments on my blog post, as well as in bug reports at tracker.adobe.com (see below, or if you search for CF bugs, they are shown in reverse chronological order--and you can even indicate that it show those created after Sep 23). Finally, I've also been hearing from clients directly, as I've related in my own comments on the two blog posts.
Some of the bug reports so far
This section is new since my original post:
I have decided to go ahead and share here briefly some of the errors being reported about the update, including direct links to bug reports if they exist. This is not meant to be "the complete list". Also, I am NOT committing to keeping this list updated as new ones may be added. I just wanted to help as of today, at least. Use my suggestion above about getting Tracker to show a list of all bugs created beyond today.
I'll start with those that DO have bug reports. Note that I show here the titles people choose for the bug, which may refer to either CF2016 or 2018, or their respective updates 12 or 5, but the given problem may well apply to either release:
- "CFTransaction exceptions thrown when CFTransaction not used", resulting in the error "Datasource names for all the database tags within the cftransaction tag must be the same" (tracker ticket CF-4205269)
Update: fix available See the comments in that ticket, where Adobe requests you reach out to them at firstname.lastname@example.org to obtain the fix directly from them.
- "CF2018 Update 5 : Intermittent issue with CF admin page running on external web server" (cf-4205252), and CF2016 - intermittent 404 after Update 12 (cf-4205361).
Despite the first ticket title, this seems related to other issues people have reported with the updated CF web server connector, and how they get 404s or worse, and how some report that if they don't update the connector then their sites don't work, which is a real catch-22--forcing them to revert to the previous CF update, and the previous web connector. Seeming related are instances of requests failing with, "The requested URL was not found on this server!", with the isapi_redirect.log containing entries for these requests referring to "jk_check_for_path_attack" and "Path attack using", reported in that cf-4205361 tickets.
Update: fix available! See an Adobe blog post on the connector fix.
And there are a few that seem to refer to the same "nesting" issue (but may have different info or comments, so worth reading each):
- "Nest CFOUTPUT error in hotfix 5 (hf-2018-00005-315699)" (CF-4205250)
- "A query driven queryloop tag is nested inside a queryloop tag UPDATE 12" (CF-4205262)
- "CF 2016 Update 12 on Windows Server returns nesting errors in cases where CF 2016 Update 11 and lower does not" (CF-4205257)
- "Weirdly specific/odd nested structure issue post CF2016 update 12 + java update" (CF-4205251)
Finally, there has been an issue raised about cfhttp processing hanging (with a proposed workaround from Adobe of a jvm argument "to try" (-Dcoldfusion.http.usepooling=false):
- CF2018 Update 5: Server unresponsive (another ticket with more clarity about http processing, CFHTTP Randomly Hangs After ColdFusion 2018, Update 5, was marked as a duplicate of this one)
There are still other issues I've seen reported, though for now I have not seen bug reports for them, such as:
- An issue with cflogin and unexpected ALLOWCONCURRENT behavior
I hope someone experiencing these or any issues will open the bug report. (I am reluctant, as I have only hear-say information, but I have seen it from multiple folks.)
"But I want the security updates ASAP"
This is indeed a tough situation when it happens, because the updates do include important security fixes, so some people naturally want to get THOSE fixes in place, ASAP. (It's not clear for now if the "problems" are related to either the security fixes, the bug fixes, or the new features.)
Where you can find at least one security "fix"
I will say that at least with respect to one of the vulnerabilities (fixed in those troubled updates), Pete Freitag had emailed customers of his HackMyCF service with news of the vuln earlier this month, and included a fix for it. He has not shared that info publicly, because discussing either the problem or the solution would give exposure of the vulnerability to those who would abuse the information.
But he did share it with his customers. I already have long-recommended his service (indeed, all his tools), but getting access to such useful information as a HackMyCF customer makes that service all the more beneficial.
Someone may assert that Pete should share that info publicly, now that Adobe has "offered a fix for it in the product". That's indeed a common approach for those who find/fix vulnerabilities: to hold off on sharing details until the vendor fixes them. But given the trouble with this update, he may well still be holding off sharing it, knowing that so many people may be reluctant to apply that update, and so could be exposed if the "bad guys" may see his post while many "good guys" may not and so may get attacked (more likely than if he had not posted the info).
It's a tough position to be in, and it's his decision to make.
Can't I just get the security updates somehow?
Finally, let's address the elephant in the room. For now, there's no way to get the security updates "only" and not the rest of the bug fixes/new features. Many of us have wished for that, but it's not as easy as it may seem.
But I think there is a good model Adobe could follow. I have blogged about that separately, as I think it deserves to stand on its own.
For more content like this from Charlie Arehart:
Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed