ColdFusion 11 Update 6 and ColdFusion 10 Update 17 now available

The following ColdFusion updates are now available for download. These updates address a common XXE vulnerability in BlazeDS. For details refer the security bulletin hyperlinks in the sections below.

Users who are using LCDS with ColdFusion, should refer this technote, for updating their LCDS installation.

ColdFusion 11 Update 6

This Update addresses a vulnerability mentioned in the security bulletin APSB15-21. This update is cumulative and includes fixes from previous ColdFusion 11 updates.

For details, refer this technote.

ColdFusion 10 Update 17

This Update addresses a vulnerability mentioned in the security bulletin APSB15-21. This update is cumulative and includes fixes from previous ColdFusion 10 updates. 

For details, refer this technote.

46 Responses

  1. So update 6 includes all previous updates, which means it includes update 5, which is broken.

    How do people limited to update 4 ensure they are not vulnerable?

    Is there a way to ensure Flex/BlazeDS is fully disabled in a way that avoids the security issue? Is removing all flex-related servlet/servlet-mappings from Tomcat going to be enough, or is there more to do?

  2. David,
    The articles have been updated. Thanks for pointing that out.

    All updates since ColdFusion 10 are cumulative.

    We’re targeting the fix for 3971083 in the next update release. Update 6 had to be pushed out quickly as it addresses a zero-day vulnerability.

    Pls. elaborate on what’s broken in Update 5.

  3. Peter, Aaron,
    You can uncheck “Enable Flash Remoting” checkbox in the ColdFusion Administrator> Data & Services> Flex Integration.
    But pls. be warned that this will also disable the Server Monitoring feature in ColdFusion.

  4. @Piyush: so to be clear here… someone who might not think they are usig BlazeDS so accordingly don’t need this fix could conceivably be leaving themselves exposed if they are using server monitoring?

    Can you (ie: Adobe) be a bit less opaque about the reach of this issue? It’s not that clear, I don’t think.

  5. Hi all,
    I have a versioning issue after installing the updates on CF10 and CF11…
    I get version 11,0,06,289974 instead of 11,0,06,295053
    and version 10,0,17,282462 instead of 10,0,17,295085

    should I be worried or are the numbers in the hotfix-info wrong?

  6. Thanks for the workaround Piyush.

    Adam, I don’t think it’s that opaque – the Server Monitoring functionality in CFAdmin is presumably making use of Flash Remoting (which is what BlazeDS provides).

    Assuming that’s not used for Fusion Reactor, it’ll be ok for us to disable it.

  7. Adam,
    The update needs to be applied to alleviate the threat, regardless of the fact whether you are using BlazeDS or not.
    If you got an impression that is otherwise, pls. point out the text in the content (here or the referenced technotes), so that I can see if that needs to be rephrased.

    Jörg ,
    Can you pls. mail the update installation log and the platform details to me at
    You’ll find them at the following location:
    cfusionhf-updateshf-11-00006; cfusionhf-updateshf-10-00017

    I still need to checked the details on what that bug is about, but it is yet to be fixed. I guess, we’ll have to wait for it to be fixed, before we can consider shipping it in an update.

  8. Thanks Charlie.

    Piyush wrote:
    > I still need to checked the details on what that bug [3956389] is about,
    > but it is yet to be fixed. I guess, we’ll have to wait for it to be fixed,
    > before we can consider shipping it in an update.

    Or, instead of waiting, the CF team could be proactive about looking at what changed in update 5 and how it might have caused the bug.

    What code was changed to address 3776450 for example?
    Given that was about detecting JAR changes, there’s a high likelihood of the changes being related.

  9. Did the CF10u17 hotfix get pulled for some reason? I updated a pair of my development servers yesterday for testing, and when I tried to update a third this morning, update 17 is no longer showing as available? Looking at the XML file available at the default update URL, it appears that neither of these updates (CF10u17, CF11u6) are listed.

  10. Snake,
    I apologize for indicating that the CF9 instructions can be made available by email. We cannot share security related fixes for versions that are out of support. You can reach out to the customer support for any guidance or clarifications.

    you apparently have a custom patch for that bug. I’ll check on if you need to reapply it, post update 6, and get back.

    I can see that you’ve already commented on the fix for 3776450 possibly causing 3956389, in the bug tracker. Thanks for that. I’m sure we’ll check out that angle when we work on fixing it.

  11. Matthew,
    When you apply an update, all the content of cfusionlibupdates is moved to a back up location at cfusionhf-updates, before the new update jar is placed there.
    So you’ll need to recopy your custom patch to former directory.

  12. @Piyush

    I have re-applied jar received from Bug 3971083 and issue is side stepped again with that in cfusionlibupdates again.

    Just disappointed it was not packages with update 6 since it was address shortly after update 5 was released.

    When a BUG, is marked fixed when would one expect the fixed code to make it to an update release?

  13. PDFg service is working fine for me in production with JVM 1.8.0_45 and CF11 update 5. Just patched to update 6 on my dev server and after a few tests things seemed okay but didn’t try PDFg. Decided to update to JVM 1.8.0_60 and found that PDFg no longer worked (Add-On service would not start). Just rolled back to JVM 1.8.0_45 and PDFg is working fine again under CF11 update 6. This is with Server 2012R2.

  14. Thanks Charlie, yes, you’re correct. The PDFg add-on was pointing to the non-existent 1.8.0_45 JVM after upgrading to _60. Thank you for the tip on the jetty.lax I now remember editing that so it would use _45 quite a few months ago. Just repointed CF app and the AddOn service/PDFg to _60 and all is well.

  15. Hi, We have installed Update6 on several Win2012 R2 64-bit servers, but one just failed with command-line errors:
    “failed to add duplicate collection element “/jakarta”
    “failed to add duplicate collection element “/CFIDE”

    CF did not appear to be starting, and When browsing, we got this error:
    HTTP Error 500.0 – Internal Server Error. Calling GetFilterVersion on ISAPI filter “F:CF11configwsconfig1isapi_redirect.dll” failed.

    Rebuilding the Connector did not help. The old Connectors had to be manually removed.

    Uninstalling Update6 required the manual removal, but CF is still not starting. We get the same HTTP Error 500.0, when browsing either .htm or .cfm files.

    Any ideas? (we’ve opened an Adobe support case).

    thank you

  16. Follow-up to my post of Sep 21, 2015 at 9:10 AM:

    We followed the uninstall instructions for Update6, but it did not fully uninstall and CF would not start.

    We then followed the manual uninstall instructions for Update6, but CF would not start.

    We then replaced the entire installation directory tree with a backup we took before installing Update6, and CF now starts, and correctly shows Update5 as the latest build version.

    We have installed Update6 three times before, all successfully, and confirmed the MD5 signature, so it should not be corrupted.


  17. We tried the installation again, and it worked with no errors. No idea what was different between the bad and the good installations.

    Just be sure to back up all your CF files before you install the Update!


  18. Seems the BlazeDS ‘update’ made it more secure by completely borking the functionality. I have a client app that relies heavily on Blaze and when update 18 was applied, the messaging simply stopped working.

    I am not sure where the problem is..still trying to figure that one out.

Leave a reply