September 12, 2017
ColdFusion 2016 Update 5 and ColdFusion 11 Update 13 released
Comments
(32)
September 12, 2017
ColdFusion 2016 Update 5 and ColdFusion 11 Update 13 released
Newbie 25 posts
Followers: 1 people
(32)

This post is to announce the release of updates for ColdFusion 2016 and ColdFusion 11. These updates address a common vulnerability mentioned in security bulletin APSB 17-30.

ColdFusion 2016 Update 5

In addition to addressing the vulnerabilities in the security bulletin APSB17-30 this update includes 13 bug fixes in language, database and AJAX some other areas. For the installation instructions and details on the bugs fixed, refer this technote.

ColdFusion 11 Update 13

In addition to addressing the vulnerabilities in the security bulletin APSB17-30 this update includes 8 bug fixes in charting, AJAX and some other areas. For the installation instructions and details on the bugs fixed, refer this technote,

For the security fixes in these updates to be effective, ColdFusion 2016 should be on JDK 8 u121 or a higher version, and ColdFusion 11 should be on JDK 8 u121 or JDK 7 u131 or a higher version of JDK. The use of latest JDK update is recommended.

On a standalone installation of ColdFusion, you can upgrade Java by editing the jvm.config file at <cf_root>/cfusion/bin. For a JEE installation of ColdFusion, refer the documentation for the host application server.

32 Comments
2017-09-29 17:00:26
2017-09-29 17:00:26

To add to Brads comment and to dispel any confusion that may still be there, I rephrase and reiterate – After applying the update,
Java should be upgraded in all cases (JEE and standalone CF) ; and,
The JVM serialization flag should be manually configured on a JEE installation of CF.

Like
2017-09-26 21:16:58
2017-09-26 21:16:58

For anyone who has recently applied the recent security update for ColdFusion I wanted to confirm something that tripped me up. One of the fixes requires a special JVM arg added and for the version of Java to be JDK 8 u121+. It’s been noted in several places that you only need to manually add the JVM if you have a J2EE installation of ColdFusion where you manually installed the servlet container, etc. However, what tripped me up (wasn’t clear) was that all users are required to update their java version *manually* regardless of what type of installation they have. i.e. the updaters won’t touch the JRE for you, even though the JRE was installed as a bundled part of ColdFusion. Based on a twitter conversation I had today with a “security researcher” who claims he reported one of the security vulns to Adobe, he confirmed that just installing the updater is NOT enough to secure your server. You are vulnerable until you also manually upgrade Java.

Like
2017-09-22 16:50:11
2017-09-22 16:50:11

Matt,
Can you pls. share the expression that you are using to pass the call to the handler.

Like
(1)
>
Anonymous
's comment
2017-09-22 19:54:52
2017-09-22 19:54:52
>
Anonymous
's comment

Piyush I emailed you as well …but basically the issue is before the update it was passing a collection in the AJAX call called “argumentCollection”. Now after the update it is passing the variables but not in the collection:

Before Update 5:
method:getSearchResults
returnFormat:json
argumentCollection:{“page”:1,”pageSize”:12,”gridsortcolumn”:””,”gridsortdirection”:”ASC”,”search_customer_id”:”27509″,”search_keywords”:””,”search_document_type”:”0″,”search_start_date”:”09/22/2016″,”search_end_date”:”09/22/2017″,”search_profile_id”:”40644″,”search_type”:”database”,”run_search”:true}

After Update 5:
method:getSearchResults
pageSize:12
search_customer_id:27509
search_keywords:
search_document_type:
search_start_date:09/22/2016
search_end_date:09/22/2017
search_profile_id:
search_type:database
run_search:true
returnFormat:json
start:0
limit:12
page:1
gridsortcolumn:
gridsortdirection:ASC

Like
2017-09-21 21:26:50
2017-09-21 21:26:50

Actually it is not like that ticket. It is just that the argumentCollection variable is not being passed in the AJAX call to my handler.

Like
(1)
>
Anonymous
's comment
2017-09-21 21:35:20
2017-09-21 21:35:20
>
Anonymous
's comment

I did find a workaround. I am using Coldbox. If anyone else has this issue let me know.

Like
2017-09-21 21:19:59
2017-09-21 21:19:59

It seems you guys broke the AJAX argumentCollection again with Update 5.
https://tracker.adobe.com/#/view/CF-4197186
After the update I now get the error that the argumentCollection is not passed in. (I do not have THIS.searchImplicitScopes=false either…it is just the default so that setting does not seem to matter) It worked fine on Update 4. Is this being taken care of or do I need to setup a bug ticket?

Like
2017-09-20 18:35:40
2017-09-20 18:35:40

Unrelated to this update but still in the area of security and ColdFusion updates:
New vulnerabilities have just been identified in Apache Tomcat that affect versions versions 7.0.0 to 7.0.80.

https://www.us-cert.gov/ncas/current-activity/2017/09/19/Apache-Releases-Security-Updates-Apache-Tomcat

My ColdFusion 11 Patch 13 servers are at 7.0.75. Does this mean we can expect another update soon?

Like
2017-09-20 17:37:40
2017-09-20 17:37:40

Ron,
You can find the checksums at:
https://helpx.adobe.com/in/coldfusion/kb/coldfusion-2016-updates.html
https://helpx.adobe.com/in/coldfusion/kb/coldfusion-11-updates.html

Or, you can simply look it up in the updates.xml configured with the update settings in the CF admin.

Like
2017-09-20 17:14:39
2017-09-20 17:14:39

Are the checksums for the hotfix JAR files published somewhere? I had several failures to download the hotfix this morning and I’d like to make sure what I did finally end up is valid before I start trying to apply the update…

Like
2017-09-18 16:27:05
2017-09-18 16:27:05

Michael,
If you issue is still unresolved, I’d suggest you contact
cf.install@adobe.com with the update installation log, CF logs (coldfusion-out.log, coldfusion-error.log, exception.log) and your jvm.config file.

Like
(1)
>
Anonymous
's comment
2017-09-18 22:03:01
2017-09-18 22:03:01
>
Anonymous
's comment

I have sent it in

Like
2017-09-18 06:55:04
2017-09-18 06:55:04

Michael, you say you “updated today with 100% success on update but now I am getting an error on server start”.

So by what measure do you mean it was “100% success”? That’s a sincere question, not a snarky one. Do you mean simply that the popup window said the update was a success?

Even if so, did you check the update logs? That’s where I tell people to look first, after every update (whether successful or failing. And I will help you know in a moment where to look for the log).

And if there are any “errors” or “nonfatal errors” indicated there (in a table near the update log, which I will tell you where to find it), then usually the reason for that is that CF or a related CF service did not get stopped during the update, so that it did not complete.

And so the solution to that is to stop CF (and the related CF services) and run the update from the command line, and I tell you how to do that, and the above, in a post I did last year:

http://www.carehart.org/blog/client/index.cfm/2016/9/6/solve_common_problems_with_CF_updates_in_10_and_above

Give that a shot and let us know how it goes.

Finally, though I don’t think it would cause the error you are seeing, do note that this update is unique in that you must also be sure to update the JVM, per the blog post above (and the Adobe technote it links to). I will add that I shared above (on the 14th) a post with help for those trying that and having still other problems.

Like
(2)
>
Anonymous
's comment
2017-09-18 20:29:39
2017-09-18 20:29:39
>
Anonymous
's comment

Charlie,
I get you, 100% does not always mean 100% but this comes from the log:
Installation: Successful.

1159 Successes
0 Warnings
0 NonFatalErrors
0 FatalErrors

Action Notes:

None

As a note, I stopped cf services, ran the update manually, and then restarted the server. I did update the JVM at the same time. I am going to pull up a fresh image of this server and do the JVM first and then do the update and see where I get.

Worst case and I cant get this update in you are going to be hired to figure out what the heck is going on.

Cheers and wish me luck.

Like
>
Anonymous
's comment
2017-09-18 21:51:30
2017-09-18 21:51:30
>
Anonymous
's comment

Well that was another fun hour of my life I can’t get back. Same exact result as the last time. JVM update first tested well. Stopped all CF services. Ran the update manually, logs show no errors or warnings. Restarted server and get this in the server logs again:
“Error”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Unable to initialise Runtime service: java.util.MissingResourceException: Can’t find resource for base name coldfusion/server/tomcat/resource.properties”
“Information”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Starting cron…”
“Information”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Starting registry…”
“Information”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Starting client…”
“Error”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Unable to initialise Client Storage service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Information”,”localhost-startStop-1″,”09/18/17″,”16:10:21″,,”Starting xmlrpc…”

Like
2017-09-16 05:35:40
2017-09-16 05:35:40

Updated today with 100% success on update but now I am getting an error on server start. Any ideas? I have 5 servers to do:
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:07″,,”Starting logging…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:07″,,”Starting license…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Standard Edition enabled”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting crypto…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting security…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting scheduler…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting WatchService…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting debugging…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:09″,,”Starting sql…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:10″,,”Pool Manager Started”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:10″,,”Starting mail…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:10″,,”Starting runtime…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Unable to initialise Runtime service: java.util.MissingResourceException: Can’t find resource for base name coldfusion/server/tomcat/resource.properties”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Starting cron…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Starting registry…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Starting client…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Unable to initialise Client Storage service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:13″,,”Starting xmlrpc…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting jaxrs…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting graphing…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise Graphing service: coldfusion.server.ServiceException: The Runtime service is not available.”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting solr…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting archive…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise Archive/Deploy service: java.lang.ExceptionInInitializerError”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting document…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise Document service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting eventgateway…”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting FlexAssembler…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise FlexAssembler service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting .NET…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise .NET service: coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting Monitoring…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise Monitoring service: java.lang.NoClassDefFoundError: Could not initialize class coldfusion.featurerouter.FeatureRouter”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Starting WebSocket…”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:14″,,”Unable to initialise WebSocket service: java.lang.NoClassDefFoundError: Could not initialize class coldfusion.featurerouter.FeatureRouter”
“Error”,”localhost-startStop-1″,”09/16/17″,”00:00:15″,,”Unable to initialise SecureProfile service: coldfusion.server.ServiceException: The Runtime service is not available.”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:15″,,”ColdFusion started”
“Information”,”localhost-startStop-1″,”09/16/17″,”00:00:15″,,”ColdFusion: application services are now available”

Like
2017-09-15 04:40:58
2017-09-15 04:40:58

Hello,
This blog reference can be helpful for details on how to change CF Java version.
http://blogs.coldfusion.com/installing-and-troubleshooting-java-updates-in-coldfusion/
Regards, Carl.

Like
2017-09-14 03:49:23
2017-09-14 03:49:23

For anyone who may try updating their JVM, as may be required by this post (and is recommended as well in the lockdown guide), if you find that doing that “breaks your server”, I have a blog post on several common mistakes it’s easy to make and how to avoid/fix them:

http://www.carehart.org/blog/client/index.cfm/2014/12/11/help_I_updated_CFs_JVM_and_it_wont_start

Like
2017-09-13 20:51:13
2017-09-13 20:51:13

subscribe

Like
2017-09-13 19:27:33
2017-09-13 19:27:33

Michael,
Here’s how you can go about using a new JVM with CF. Note that these steps are for a standalone installation of CF. For a JEE installation, you may consult the manual of the container application server your CF is hosted on.
– Download and install the latest JDK (note, that’s JDK not JRE). Follow Oracle’s instructions on Java installation.
– Edit {cf_root}/cfusion/bin/jvm.config file. It should have the following default entry
java.home=C:ColdFusion11jre
change that to point it to the newly installed JDK.
For example, java.home=C:Program FilesJavajdk1.8.0_60jre
– If you are switching CF from lower a JDK version to a higher version, you need to replace CF’s tools.jar with the newer version from JDK’s library. For example, CF11 originally shipped with bundled JDK 7, if you are upgrading it to JDK 8, copy tools.jar from {java_home}>/lib to {cf_root}/cfusion/lib/ directory. You can skip this step if you are not using CF based web-services.
– If you have replaced tools.jar, you need to delete the stubs (compiled classes) generated with the old JVM, so that they are generated again with the new JDK. To delete the stubs, empty the contents of {cf_root}/cfusion/stubs/ directory.
– For the changes to take effect, restart CF.
You can find related details in the following technotes:
https://helpx.adobe.com/coldfusion/kb/change-coldfusion-jvm.html
http://blogs.coldfusion.com/when-should-tools-jar-be-updated-in-coldfusion-server/
Pls, feel free to write back in case you need any clarifications.

Like
2017-09-13 18:43:48
2017-09-13 18:43:48

The article states that for the security fixes in these updates to be effective the JVM needs to be updated to the latest version, yet there is no information or link to resources for how that should be done. Is there a definitive article from Adobe on replacing the embedded JVM that comes with ColdFusion?

I’ve done some research and there are conflicting articles. Some say the server JRE can be used, others say it requires the JDK. Some say that tools.jar from the newer version should be copied into the cfusion/lib folder. What is the correct way to replace the JVM?

Like
2017-09-13 18:40:24
2017-09-13 18:40:24

[sub]

Like
2017-09-13 11:23:27
2017-09-13 11:23:27

Yes, to reiterate, you need to explicitly set that JVM flag on a JEE installation of CF, but not on a standalone installation of CF.

Like
2017-09-13 00:10:42
2017-09-13 00:10:42

subscribe

Like
2017-09-13 00:04:42
2017-09-13 00:04:42

Miguel,
You don’t need to set that JVM flag in a standalone installation of CF. You can find details on what that flag is used for in the release notes of the minimal JDK version required for this update at:
http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html?printOnly=1#R180_131

Like
(1)
>
PiyushN
's comment
2017-09-13 00:17:37
2017-09-13 00:17:37
>
PiyushN
's comment

Thanks for that additional information. So if using JEE installation type we do need this new setting?

For reference here, this is what that article says about the setting:

Serialization Filter Configuration
Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the “jdk.serialFilter” patterns are described in JEP 290 Serialization Filtering and in /lib/security/java.security. Filter actions are logged to the ‘java.io.serialization’ logger, if enabled.
See JDK-8155760

Like
2017-09-12 23:04:14
2017-09-12 23:04:14

What does the note referencing “application servers” mean? Ins’t every installation of ColdFusion running on an “application server”? Do we all need to apply that JVM flag? What is it for? A little more detail would be helpful.

This is the note I am referring to:

For Application Servers

Additionally, on J2EE installations, set the following JVM flag, “-Djdk.serialFilter=!org.mozilla.** “, in the respective startup file depending on the type of Application Server being used.

For examples,

On Apache Tomcat Application Server, edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
On WebLogic Application Server, edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
On a WildFly/EAP Application Server, edit JAVA_OPTS in the ‘standalone.conf’ file

Like
2017-09-12 22:11:11
2017-09-12 22:11:11

I better grab these updates. Coldfusion keeps getting bigger

Like
2017-09-12 20:59:31
2017-09-12 20:59:31

subscribe

Like
2017-09-12 20:53:07
2017-09-12 20:53:07

subscribe

Like
2017-09-12 20:48:34
2017-09-12 20:48:34

subscribe

Like
2017-09-12 20:40:59
2017-09-12 20:40:59

subscribe

Like
Add Comment