ColdFusion 11 Update 10 and ColdFusion 10 Update 21 released

This post is to announce the release of updates for ColdFusion 11 and ColdFusion 10.
These updates address the security vulnerability CVE-2014-3529, mentioned in the bulletin APSB16-30.
ColdFusion 2016 is not affected by this vulnerability.
Refer the following KB articles for instructions on how to download and install the updates.
ColdFusion 11 Update 10
ColdFusion 10 Update 21

20 Responses

  1. The last CF updates that carried any connector related fixes were CF11 Update 7 and ColdFusion 10 Update 18.
    Since all CF updates are cumulative, you only need to reconfigure the connector if you are on an update level lower than what is mentioned earlier, or you have had applied those updates and not reconfigured the connector afterwards.

  2. Can you please provide the direct download links when you all post these types of updates or put them in the documentation? Our servers have no access to the internet so telling us to go click the download button does nothing for us. Every time one of these updates comes out we play the “where’s the update files” game.

  3. It would be useful if Adobe could provide a bit more detail about the scope of the vulnerability. The APSB mentions “parsing crafted XML entities”, so is this an issue with the XMLParse function specifically? I’m just trying to determine whether this is a “full panic mode” patch that needs to be applied immediately (and cross our fingers something else doesn’t get botched), or if it can be deferred if I’m not parsing XML entities via a public webservice or whatever.

  4. @Paul – FYI Adobe has updated the security bulletin with the following: “As of September 1, Adobe is aware of publicly available proof-of-concept code, and we have modified the priority of these hotfixes from Priority 2 to Priority 1”.

    That proof of concept code gives some more detail about the vulnerability. The takeaway is that if your application accepts any sort of office document (for example users upload them) and then it works with those files (eg cfspreadsheet) then you should patch your servers right away. Either way I would still try to apply security patches as soon as you can.

    Further if you are running CF9 or lower and are using any sort of office doc features you should upgrade to CF10+ since CF9 and below are considered “End of Life” and no longer patched or supported by Adobe.

  5. Does the CF10 Update 21 require the Solr service? My CF10 server has never had Solr installed and when I installed update 21, this is the error I get when trying to get to the CF administrator:

    The following information is meant for the website developer for debugging purposes.
    Error Occurred While Processing Request
    The Solr service is not available.

    This exception is usually caused by service startup failure. Check your server configuration.

    The error occurred in Application.cfm: line 89
    Called from Application.cfm: line 85
    Called from Application.cfm: line 4
    Called from Application.cfm: line 1
    -1 : Unable to display error’s location in a CFML template.

    Stack Trace
    at cfApplication2ecfm1780444099._factor0(C:/coldfusion/jenkins/workspace/CF10_HF21/cfusion/wwwroot/CFIDE/administrator/Application.cfm:89) at cfApplication2ecfm1780444099._factor3(C:/coldfusion/jenkins/workspace/CF10_HF21/cfusion/wwwroot/CFIDE/administrator/Application.cfm:85) at cfApplication2ecfm1780444099._factor9(C:/coldfusion/jenkins/workspace/CF10_HF21/cfusion/wwwroot/CFIDE/administrator/Application.cfm:4) at cfApplication2ecfm1780444099.runPage(C:/coldfusion/jenkins/workspace/CF10_HF21/cfusion/wwwroot/CFIDE/administrator/Application.cfm:1)

    coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Solr service is not available.
    at coldfusion.server.ServiceFactory.getSolrService(ServiceFactory.java:97)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

  6. Paul,
    The vulnerability is related to how OOXML documents are parsed. You may refer https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4264
    Applying the fix is strongly advised. Any specific reason you want to defer applying it?

    Charlie,
    just adding to the information you’ve shared. We will update our KB articles to mention whether a connector reconfiguration is required or not. But a reconfiguration is not required unless it is explicitly mentioned in the KB article related to update.
    Thanks for pointing it out.

    Bret,
    CF should be able function independently of Solr.
    Where and at what point, do you see the error stack trace that you’ve shared.
    Is it when accessing the CF administrator console or when starting the CF server, or in the CF exception log file. If it is the administrator console, is it when accessing the administrator home page or when navigating to the solr section in the administrator.
    I don’t see that issue with my set-up. Can you pls. share your neo-solr.xml file at pnayak@adobe.com. The file should be at CF10_HF21/cfusion/lib/

  7. FYI, I had the same problem as Brett after trying to install ColdFusion 10 Update 21 (from 19).
    (i.e. “The Solr service is not available.” on CF Admin login page – although other CF sites worked)

    Uninstalling the update didn’t fix the error.

    Unfortunately the above ideas from Charlie Arehart & Piyush (and Googling for Solr etc) didn’t really help.

    The update log file had a fatal error as coldfusion.exe was being used by another process (i.e. ColdFusion service hadn’t finished shutting down before update started)

    So I eventually tried stopping all CF services & reinstalling the update manually, which worked!
    (e.g. https://coldfusion.adobe.com/post.cfm/how-to-download-and-install-coldfusion-10-hotfix-directly)

    Hooray! Hope this note helps someone else too 😀

  8. K Johnstone,
    Thank you for sharing that information.
    I tried applying the updates in the same sequence as you (19 to 21) but I did not observe any issues. There were zero errors/warning in my update 21 installation log.
    Can you pls. share your update installer log (the one with the fatal error) with me at pnayak@adobe.com. Can you also mail your exceptions.log (present at /cfusion/logs) from around the time your CF server was restarted after the faulty update.

  9. Yes Charlie. That’s the case in all likelihood. At least, based on K’s report.
    The update process not being able to replace file(s) that is is supposed to, can lead to any number of unpredictable outcomes. But since we see two similar outcomes (K’s and Bret’s), I guess we might just double check the premises.
    I don’t yet have the update installation logs for both the cases.
    In K’s case, it would seem that the update process was not able to shut down the CF service, but we don’t know yet if that was the case with Bret.
    The only reason I can think of why the updater was not able to restart the service, is that the user account that the CF process is using does not have the privileges to restart the service, assuming that the update was initiated from CF’s admin console. Perhaps, K can confirm.

  10. Thank you everyone for your suggestions. Apparently the “Subscribe to this comment thread” isn’t working for me because I haven’t received any emails alerting me to the replies.

    I did email Piyush the neo-solr.xml file and he confirmed that it did not cause the issue.

    Last night after reading the suggestions and waiting until the web site was not heavily used, I tried the manual process of stopping the services and installing the update. It was successful and the CF Administrator works once again.

    The update log file (ColdFusion10cfusionhf-updateshf-10-00021Adobe_ColdFusion_10_Update_21_Install_[timestamp].log) did list that the first update installation was unsuccessful:
    Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

    For what it’s worth, I was at CF 10 Update 20 prior to this and had not changed the jvm recently. The server has been restarted since the jvm was updated.

    I will now plan to do future CF updates manually until this server is phased out next year.

    Thanks again everyone!

  11. CF11 Update 10 broke all of my generated PowerPoint reports that use the CFPRESENTATION tag. Rolling back the update restored the functionality to full working order. The official Release Notes say “certain” libraries were upgraded, but no specifics were mentioned. Has anyone else experienced this problem?

  12. Thank you for your response, Charlie. The first thing the server team did was to check the logs for errors and anomolies; they said they found nothing other than that the update had been installed. Everything else worked fine after the application of the update; only my CFPRESENTATION reports were whacked.

    I will show our server maintenance team your comments concerning a manual update and suggest they try it. I will let this group know how things go. I’m hoping I can prove you are correct!

    In the event it still doesn’t work after a manual installation, I will try to collect more useful info for troubleshooting the problem.

  13. Not sure if this is related to the CF11 update 10 since this is a new install and I installed the update before finding this discrepancy, but my Solr collections do not behave as they used to. I cannot cfsearch on more than one collection at a time. I can search and index OK on one collection, but hangs the service.
    Where can I start looking to find the problem? Can I just try to re-install the Addon service with the stand-alone installer?

  14. Thanks Charlie…I looked up logs in hf-updates and it shows this:
    Installation: Successful.
    881 Successes
    0 Warnings
    0 NonFatalErrors
    0 FatalErrors

    However, I looked up the same log on my dev server (which is able to search two collections at once) and it shows this:
    Installation: Successful.
    899 Successes
    0 Warnings
    0 NonFatalErrors
    0 FatalErrors

    I assume all is OK despite the different number of successes since the servers did not have identical upgrade paths (I jumped straight to 8 on the production server and stepped through one or two previous updates on dev)

    I also found the logs for the AddOn service install (in /jetty) and they were different too.
    The dev server log shows this:
    Installation: Successful.
    678 Successes
    0 Warnings
    0 NonFatalErrors
    0 FatalErrors

    And the prod server log show this:
    Installation: Successful.
    672 Successes
    0 Warnings
    0 NonFatalErrors
    0 FatalErrors

    This seems strange because I installed both servers from the same install file (ColdFusion_11_WWEJ_win64.exe). Should they have the same number of successes even though they both report a successful install? Note that one was a development install and the other a production (not the high security one) install. Perhaps that could account for the different number of successes?

    I will install a copy of FusionReactor and see if I can get any other hints.

  15. We are trying to install CF 11 update 10 and are encountering an error I’ve never experienced before. Anyone have any idea what might be causing these files to be locked? We’ve run this on other Mura servers with no problem…

    Summary
    ——-

    Installation: Unsuccessful.

    894 Successes
    0 Warnings
    6 NonFatalErrors
    9 FatalErrors

    Action Notes:

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Failed to copy hotfix files:C:Usersmuraservice833774.tmpdistcfusiondbslserver54binswagent.exe: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Failed to copy hotfix files:C:Usersmuraservice833774.tmpdistcfusiondbslserver54binswsoc.exe: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

Leave a reply

Your email address will not be published. Required fields are marked *

By submitting this form, you accept the Mollom privacy policy.

Related