We are pleased to announce that we have released Update 7 of the 2018 release of ColdFusion.
ColdFusion (2018 release) Update 7 addresses vulnerabilities that are mentioned in the security bulletin, APSB19-58.
The update includes a fix for the ColdFusion Administrator UI. The vulnerability affects Windows platform only. Users on non-Windows platform need not apply this update.
For more information, see the tech note.
Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.
We thank you for your continuing support.
To report an issue with the update, file a bug using the public tracker https://tracker.adobe.com/ or send an email to cf.install@adobe.com.
Charlie,
The update primarily fixes a security issue, that affects only a windows based CF installation. It also contains a fix for the scrollbar issue (that is not platform dependent, of course). You can choose to ignore this update if you’re not on Windows. You can always get the fix for the scrollbar with the next update.
For the folks, following along, the updates page in the CF admin UI had an issue where-in the download and install button were not visible in some cases, if the update description was voluminous, as the scroll bar did not render. It only affects you when you are downloading the update.
Thanks for the clarifications, Piyush.
For any readers who may be interest or want another take on “just who needs the update”, I just did a blog post on it: ColdFusion 2018 update 7 released today…do you ‘need’ it?.
Hi Saurav, also noticed a couple of notes on the bulletin:
“Customers who have followed the lockdown procedures during installation are not impacted by this issue. ”
Is this referring to manual and/or auto lock down?
If so the the issue only affects windows users that have not run through one of the lock downs?
I also noticed a JDK requirement – is this new and required for all cf2018 instances?
I was referring to the “On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**”, in the respective startup file depending on the type of Application Server being used.”
It lists tomcat but it’s unclear if this applies to the default deployment of ColdFusion or a war file deployment on one of the separate application servers.
Doug, as for that jvm flag, if you read to the end of that section in the security bulletin , you’ll see it attempts to clarify things, saying “Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.”
Those last two words are meant to tell you that yes, the need to set the flags listed there applies only to deployment of CF as a war/ear file, on one of those “separate application servers” as you put it. I appreciate that the phrase “standalone installation” is not as clear as was felt by the Adobe writer of the first sec bulletin that said this, and all those since, which have followed that model.
Saurav, it really would be VERY helpful if you guys would change this to be more clear, better clarifying (at the TOP of that section on the flags in that sec bulletin) how it applies ONLY to ear/war deployments and not how most CF installs are done. The first example’s mention of Tomcat (in that bulletin) only adds to confusion, since people know that “CF runs on Tomcat” (even in standalone mode).
Better still, please ensure that change is carried forward to future security bulletins (and it would be nice if it was changed in the past few, for good measure).
Finally, Doug, you say here that your question on the jvm flag is what you were “referring to” above. I don’t see that. Your previous comment was about JDK *versions* (and also the question of the lockdown tool.) Just felt that should be said, for the sake of consistency. As always, just trying to help (all readers).
Thaank, Saurav. A couple of things are unclear:
- You have wording here saying this update is only for windows users. Is that about the admin scroll bar problem?
- What about the cve (security issue)? Is that also windows only?
- Finally, we couldn’t answer that on our own because when we look at the security technote it merely mentions being about a Cve-2019-8256. But when I google that, I find no results that explain what that is. It seems this cve number has been “reserved”, but there’s no info in normal cve sites about what the issue is. (Be careful trying that search yourself, readers. You may see a result that IS about Windows, but look closely and you’ll see that’s a 2018 cve, not 2019.)
Again, I’m trying mainly to understand if this update is really only for windows, and if it’s only for the scroll bar issue, or is the cve about some other security issue (and is that windows only also)?
You must be logged in to post a comment.