ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18 released

March 1, 2019
Staff 29 posts
Followers: 18 people
16

ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18 released

Staff 29 posts
Followers: 18 people
March 1, 2019

We are pleased to announce that we have released the updates for the following ColdFusion versions:

The following are links to the tech notes for each update:

The releases address security vulnerabilities, which are documented in the bulletin APSB19-14.

In these updates, we have also introduced the following:

  • A new application setting blockedExtForFileUpload to specify a comma-separated list of file extensions for file that must be blocked for uploading.
  • In the ColdFusion Administrator, in Server Settings > Settings, there are is an option Blocked file extensions for CFFile uploads. Specify a comma-separated list of file extensions, which will be blocked from being uploaded by the cffile tag/functions.
  • The Admin API, setRuntimeProperty has a new property, BlockedExtForFileUpload. The values are a comma-separated list of file extensions to restrict file uploading of the appropriate files.

For more information, see the tech notes and the tag/function documentation.

Comments (16)
2019-03-25 18:18:42
2019-03-25 18:18:42

SauravGhosh – when you guys add security features like this in an update are you also updating the Server Auto-Lockdown installer to include them? (I realize this only applies to ColdFusion 2018)

Like
(1)
(1)
>
Miguel Fernandez
's comment
2019-03-27 02:49:16
2019-03-27 02:49:16
>
Miguel Fernandez
's comment

Miguel, I realize you as asking Adobe, but since it’s been a day, I’ll say that the answer seems “yes and no”.

First, the tool does offer to update CF to the latest available update, so from that perspective, yes the tool is “updated to include” the new security features.

But if you meant, “does the tool implement the new security features even if someone does NOT apply the latest update”, then no it does not itself implement the features.

Like
(1)
2019-03-06 19:23:37
2019-03-06 19:23:37

Be aware CF11 hf 16 (up to and including hf 18) break URLEncodedFormat and builtin encoding such as in cfhttpparam, because it refuses to double encode anything. This will likely break things passing a previously encoded value. (I first noticed the problem as an oauth signature calculated over a return URL failed.)

I found an existing bug report: https://tracker.adobe.com/#/view/CF-4204045

Like
(1)
2019-03-05 10:18:55
2019-03-05 10:18:55

Hello,

The checksum is not correct via https://helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html

489fdb288d73136b50d5f27993c981fa

It’s not the same as in https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml

8270f3d08054e87fb24d4dad7c0cacda

We are talking about a (security) patching, you should really improve your internal check

 

Like
(1)
>
julien m
's comment
2019-03-05 11:30:06
2019-03-05 11:30:06
>
julien m
's comment

Thank you julien m for flagging this. We have fixed the error. Thank you.

-Saurav

Like
2019-03-04 18:07:03
2019-03-04 18:07:03

What file extensions should we setup to block or does the extension default to already block certain extensions.

Like
(1)
>
cinemaApe
's comment
2019-03-05 12:22:21
2019-03-05 12:22:21
>
cinemaApe
's comment

The list of extensions is offered in both the update technote (for each version) and the admin docs for the new setting, which each technote points to.

Like
2019-03-03 13:09:37
2019-03-03 13:09:37

Please have a look at my comment concerning “No EURO symbol (€) in Report Builder generated PDF files in ColdFusion 2016 U-9” under: https://coldfusion.adobe.com/2019/02/coldfusion-2016-release-update-9-coldfusion-11-update-17-released/#comment-29703

Maybe someone has an idea where the error could be?!

We’ve also raised a bug with more details an files under: https://tracker.adobe.com/#/view/CF-4204059

Like
2019-03-01 23:29:11
2019-03-01 23:29:11

A blacklist for file extensions is better than nothing and is appreciated. Please add an option that lets us specify a whitelist for file extensions.

Like
(1)
>
Vincent Krist
's comment
2019-03-05 12:43:16
2019-03-05 12:43:16
>
Vincent Krist
's comment

Vincent, you can, in the ACCEPT attribute of cffile.

Another benefit of this fix (it seems, though not stated) is that that’s now honored even if the associated STRICT attribute is set to (or is left to default to) true.

Before the update  strangely, any extensions there were ignored if true. That seems confirmed by the new wording added about the strict attribute, though I will raise a concern with them seperately about some info missing in the update of that text.

But Saurav, the technote (and blog post) ought to indicate that as another important change/benefit of this update.

Like
2019-03-01 23:02:36
2019-03-01 23:02:36

According to this post, this update appears to be an urgent patch for ColdFusion 11, 2016 & 2018.https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/How come this isn’t stated in this blog post?  It starts out with “we are pleased to announce”, but fails to mention that it fixes a critical vulnerability and that existing exploits are already being used.

Like
(2)
(1)
>
James Moberg
's comment
2019-03-05 12:49:02
2019-03-05 12:49:02
>
James Moberg
's comment

Good point, James. I suspect Saurav simply reused the wording from previous update posts.

Indeed, it’s been quite a while (Jan 2013, I think) since an update was released that was such an emergency (or what some may call a zero-day) update, which seems pretty impressive as its own point.

Still, you make a good suggestion.

Like
2019-03-01 22:37:31
2019-03-01 22:37:31

This CFMail bug was added in CF2016 U8/9, reported and immediately flagged to be fixed in update 10.    https://tracker.adobe.com/#/view/CF-4204050    I just tested after upgrading to 2016.0.10.314028 and verified that it is NOT fixed.  

Like
(1)
(1)
>
James Moberg
's comment
2019-03-02 07:36:01
2019-03-02 07:36:01
>
James Moberg
's comment

James,

This was an unplanned time-critical update intended exclusively to address a critical vulnerability that was brought to our attention.

That and other bugs with the same release timeline will be re-targeted for the next update.

Like
(1)
2019-03-01 18:34:23
2019-03-01 18:34:23

The technote links for CF2016 and CF11 are pointing to the previous updates (9 and 17 respectively).

Like
(1)
>
Carl Von Stetten
's comment
2019-03-01 19:17:42
2019-03-01 19:17:42
>
Carl Von Stetten
's comment

Thanks for reporting that, Carl.

The technote for CF2016 is fixed. Looks like CF11 technote was correct.

Like
Add your comment