ColdFusion 2016 Update 5 and ColdFusion 11 Update 13 released

This post is to announce the release of updates for ColdFusion 2016 and ColdFusion 11. These updates address a common vulnerability mentioned in security bulletin APSB 17-30.

ColdFusion 2016 Update 5

In addition to addressing the vulnerabilities in the security bulletin APSB17-30 this update includes 13 bug fixes in language, database and AJAX some other areas. For the installation instructions and details on the bugs fixed, refer this technote.

ColdFusion 11 Update 13

In addition to addressing the vulnerabilities in the security bulletin APSB17-30 this update includes 8 bug fixes in charting, AJAX and some other areas. For the installation instructions and details on the bugs fixed, refer this technote,

For the security fixes in these updates to be effective, ColdFusion 2016 should be on JDK 8 u121 or a higher version, and ColdFusion 11 should be on JDK 8 u121 or JDK 7 u131 or a higher version of JDK. The use of latest JDK update is recommended.

On a standalone installation of ColdFusion, you can upgrade Java by editing the jvm.config file at <cf_root>/cfusion/bin. For a JEE installation of ColdFusion, refer the documentation for the host application server.

34 Responses

  1. What does the note referencing “application servers” mean? Ins’t every installation of ColdFusion running on an “application server”? Do we all need to apply that JVM flag? What is it for? A little more detail would be helpful.

    This is the note I am referring to:

    For Application Servers

    Additionally, on J2EE installations, set the following JVM flag, “-Djdk.serialFilter=!org.mozilla.** “, in the respective startup file depending on the type of Application Server being used.

    For examples,

    On Apache Tomcat Application Server, edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
    On WebLogic Application Server, edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
    On a WildFly/EAP Application Server, edit JAVA_OPTS in the ‘standalone.conf’ file

    • Thanks for that additional information. So if using JEE installation type we do need this new setting?

      For reference here, this is what that article says about the setting:

      Serialization Filter Configuration
      Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the “jdk.serialFilter” patterns are described in JEP 290 Serialization Filtering and in /lib/security/java.security. Filter actions are logged to the ‘java.io.serialization’ logger, if enabled.
      See JDK-8155760

  2. The article states that for the security fixes in these updates to be effective the JVM needs to be updated to the latest version, yet there is no information or link to resources for how that should be done. Is there a definitive article from Adobe on replacing the embedded JVM that comes with ColdFusion?

    I’ve done some research and there are conflicting articles. Some say the server JRE can be used, others say it requires the JDK. Some say that tools.jar from the newer version should be copied into the cfusion/lib folder. What is the correct way to replace the JVM?

  3. Michael,
    Here’s how you can go about using a new JVM with CF. Note that these steps are for a standalone installation of CF. For a JEE installation, you may consult the manual of the container application server your CF is hosted on.
    – Download and install the latest JDK (note, that’s JDK not JRE). Follow Oracle’s instructions on Java installation.
    – Edit {cf_root}/cfusion/bin/jvm.config file. It should have the following default entry
    java.home=C:ColdFusion11jre
    change that to point it to the newly installed JDK.
    For example, java.home=C:Program FilesJavajdk1.8.0_60jre
    – If you are switching CF from lower a JDK version to a higher version, you need to replace CF’s tools.jar with the newer version from JDK’s library. For example, CF11 originally shipped with bundled JDK 7, if you are upgrading it to JDK 8, copy tools.jar from {java_home}>/lib to {cf_root}/cfusion/lib/ directory. You can skip this step if you are not using CF based web-services.
    – If you have replaced tools.jar, you need to delete the stubs (compiled classes) generated with the old JVM, so that they are generated again with the new JDK. To delete the stubs, empty the contents of {cf_root}/cfusion/stubs/ directory.
    – For the changes to take effect, restart CF.
    You can find related details in the following technotes:
    https://helpx.adobe.com/coldfusion/kb/change-coldfusion-jvm.html
    http://blogs.coldfusion.com/when-should-tools-jar-be-updated-in-coldfusion-server/
    Pls, feel free to write back in case you need any clarifications.

  4. Updated today with 100% success on update but now I am getting an error on server start. Any ideas? I have 5 servers to do:
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:07″,,”Starting logging…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:07″,,”Starting license…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Standard Edition enabled”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting crypto…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting security…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting scheduler…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting WatchService…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting debugging…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting sql…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:10″,,”Pool Manager Started”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:10″,,”Starting mail…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:10″,,”Starting runtime…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Unable to initialise Runtime service: java.util.MissingResourceException: Can’t find resource for base name coldfusion/server/tomcat/resource.properties”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Starting cron…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Starting registry…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Starting client…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Unable to initialise Client Storage service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Starting xmlrpc…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting jaxrs…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting graphing…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise Graphing service: coldfusion.server.ServiceException: The Runtime service is not available.”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting solr…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting archive…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise Archive/Deploy service: java.lang.ExceptionInInitializerError”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting document…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise Document service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting eventgateway…”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting FlexAssembler…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise FlexAssembler service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting .NET…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise .NET service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting Monitoring…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise Monitoring service: java.lang.NoClassDefFoundError: Could not initialize class coldfusion.featurerouter.FeatureRouter”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting WebSocket…”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise WebSocket service: java.lang.NoClassDefFoundError: Could not initialize class coldfusion.featurerouter.FeatureRouter”
    “Error”,”localhost-startStop-1″,”09/16/17″,”00:00:15″,,”Unable to initialise SecureProfile service: coldfusion.server.ServiceException: The Runtime service is not available.”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:15″,,”ColdFusion started”
    “Information”,”localhost-startStop-1″,”09/16/17″,”00:00:15″,,”ColdFusion: application services are now available”

  5. Michael, you say you “updated today with 100% success on update but now I am getting an error on server start”.

    So by what measure do you mean it was “100% success”? That’s a sincere question, not a snarky one. Do you mean simply that the popup window said the update was a success?

    Even if so, did you check the update logs? That’s where I tell people to look first, after every update (whether successful or failing. And I will help you know in a moment where to look for the log).

    And if there are any “errors” or “nonfatal errors” indicated there (in a table near the update log, which I will tell you where to find it), then usually the reason for that is that CF or a related CF service did not get stopped during the update, so that it did not complete.

    And so the solution to that is to stop CF (and the related CF services) and run the update from the command line, and I tell you how to do that, and the above, in a post I did last year:

    http://www.carehart.org/blog/client/index.cfm/2016/9/6/solve_common_problems_with_CF_updates_in_10_and_above

    Give that a shot and let us know how it goes.

    Finally, though I don’t think it would cause the error you are seeing, do note that this update is unique in that you must also be sure to update the JVM, per the blog post above (and the Adobe technote it links to). I will add that I shared above (on the 14th) a post with help for those trying that and having still other problems.

    • Charlie,
      I get you, 100% does not always mean 100% but this comes from the log:
      Installation: Successful.

      1159 Successes
      0 Warnings
      0 NonFatalErrors
      0 FatalErrors

      Action Notes:

      None

      As a note, I stopped cf services, ran the update manually, and then restarted the server. I did update the JVM at the same time. I am going to pull up a fresh image of this server and do the JVM first and then do the update and see where I get.

      Worst case and I cant get this update in you are going to be hired to figure out what the heck is going on.

      Cheers and wish me luck.

      • Well that was another fun hour of my life I can’t get back. Same exact result as the last time. JVM update first tested well. Stopped all CF services. Ran the update manually, logs show no errors or warnings. Restarted server and get this in the server logs again:
        “Error”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Unable to initialise Runtime service: java.util.MissingResourceException: Can’t find resource for base name coldfusion/server/tomcat/resource.properties”
        “Information”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Starting cron…”
        “Information”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Starting registry…”
        “Information”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Starting client…”
        “Error”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Unable to initialise Client Storage service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
        “Information”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Starting xmlrpc…”

  6. Are the checksums for the hotfix JAR files published somewhere? I had several failures to download the hotfix this morning and I’d like to make sure what I did finally end up is valid before I start trying to apply the update…

  7. It seems you guys broke the AJAX argumentCollection again with Update 5.
    https://tracker.adobe.com/#/view/CF-4197186
    After the update I now get the error that the argumentCollection is not passed in. (I do not have THIS.searchImplicitScopes=false either…it is just the default so that setting does not seem to matter) It worked fine on Update 4. Is this being taken care of or do I need to setup a bug ticket?

    • Piyush I emailed you as well …but basically the issue is before the update it was passing a collection in the AJAX call called “argumentCollection”. Now after the update it is passing the variables but not in the collection:

      Before Update 5:
      method:getSearchResults
      returnFormat:json
      argumentCollection:{“page”:1,”pageSize”:12,”gridsortcolumn”:””,”gridsortdirection”:”ASC”,”search_customer_id”:”27509″,”search_keywords”:””,”search_document_type”:”0″,”search_start_date”:”09/22/2016″,”search_end_date”:”09/22/2017″,”search_profile_id”:”40644″,”search_type”:”database”,”run_search”:true}

      After Update 5:
      method:getSearchResults
      pageSize:12
      search_customer_id:27509
      search_keywords:
      search_document_type:
      search_start_date:09/22/2016
      search_end_date:09/22/2017
      search_profile_id:
      search_type:database
      run_search:true
      returnFormat:json
      start:0
      limit:12
      page:1
      gridsortcolumn:
      gridsortdirection:ASC

  8. For anyone who has recently applied the recent security update for ColdFusion I wanted to confirm something that tripped me up. One of the fixes requires a special JVM arg added and for the version of Java to be JDK 8 u121+. It’s been noted in several places that you only need to manually add the JVM if you have a J2EE installation of ColdFusion where you manually installed the servlet container, etc. However, what tripped me up (wasn’t clear) was that all users are required to update their java version *manually* regardless of what type of installation they have. i.e. the updaters won’t touch the JRE for you, even though the JRE was installed as a bundled part of ColdFusion. Based on a twitter conversation I had today with a “security researcher” who claims he reported one of the security vulns to Adobe, he confirmed that just installing the updater is NOT enough to secure your server. You are vulnerable until you also manually upgrade Java.

  9. To add to Brads comment and to dispel any confusion that may still be there, I rephrase and reiterate – After applying the update,
    Java should be upgraded in all cases (JEE and standalone CF) ; and,
    The JVM serialization flag should be manually configured on a JEE installation of CF.

Leave a Reply to charlie arehart Cancel reply

Your email address will not be published. Required fields are marked *

By submitting this form, you accept the Mollom privacy policy.

Related