We are pleased to announce that we have released the updates for the following ColdFusion versions:
The following are links to the tech notes for each update:
These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB20-16.
The Docker images for these updates are also available.
Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.
We thank you for your continuing support.
Well, I can confirm now a few things (following up on my initial comment here), and they are important to anyone running this most recent CF update.
I wrote them as a lengthy comment here at first, but now I have evolved it into a more complete blog post, here:
How and why your sites may break, and what to do, after applying Mar 2020 update to CF2018 or 2016
Yep, David, and thanks. Though technically it’s not “rebuild” but “upgrade”.
I make that clarification, because in released prior to 11 we did have to “rebuild” the connector (as in remove and re-add it), but since CF2016 we can just click an upgrade button in the wsconfig tool (or have always been able to use a command-line -upgrade option). Yet I see people even running CF2016 or 2018 who “remove” the connector, not noticing the “upgrade” option. Hope that’s helpful.
Wow, I suspect this update is going to start a lot of trouble for a lot of people. Let me elaborate, for those curious to hear why I say that.
There’s a LOT for people to understand and unpack in that technote, regarding setting of secrets in the server.xml and worker.properties, and and the address field in the server.xml.
BTW, there’s a problem in the technote in that in the first reference to server.xml there’s no reference any sort of secret attribute shown. I can’t tell if that was intentional. But then there’s also none in the example shown later under “Web server and ColdFusion instance(s) are running on different machines”, where it seems it would have been intended.
Also, folks considering all this should know that the name of the attribute has changed before and after the Tomcat update, which is included in this CF update. Before the update, the attribute was called requiredSecret, and after it’s called secret. This should be made more clear there, in case people read this and try changing things on their own (without applying the CF update), or had changed things regarding secrets already (before applying the CF update).
I’ve been meaning to do a blog post on all this, because it is a mess even for just Tomcat users (how the attribute names have changed from the most recent Tomcat update, compared to before, and more). Until then, I will point to this post which does discuss how the attribute name has changed, before and after the recent Tomcat update (which this CF update incorporates).
Then there’s trouble (which Tomcat users have had) about the control of the IP address (as can be set optionally in the server.xml as the “address” attribute), for indicating what IP address should be allowed for requests into the connector from wherever the web server is.
Even if one thinks “my web server is on the same machine as CF, so it should be 127.0.0.1”, the problem is that if your machine supports both ipv4 and ipv6, it won’t be clear WHICH you should set (127.0.0.1, or ::1). The Adobe CF update technote tries to help here, but I don’t think it’s going to be enough info for people.
Just be careful about all this, folks. And be prepared to revert any changes you may try.
Finally, the technote refers to whether one has “locked down” CF, saying, “If you have already locked down ColdFusion, then you need not take any action, since ColdFusion instances are already configured with the requiredSecret attribute“.
Well, first of all, what do you mean by “already locked down”? Since this is in both the CF2018 and 2016 technotes, it CAN’T be referring to the “auto lockdown tool”, as that’s only in CF2018. And therefore it must mean people who have “locked down a server themselves”, perhaps implying “if you have followed all the steps in the lockdown guide”.
But second, not everyone DOES follow ALL the steps in the lockdown guide. And many people may NOT have bothered to try to setup either the secret or ip address limitation feature, regarding the web connector. So some may stop reading at that point and think the rest does not apply.
Also, in saying that a lockdown server “are already configured with the requiredSecret attribute”, well that’s a problem because after the update the attribute is now “secret”, not “requiredeseret”.
On top of all that, sadly, most people won’t even read the technote.
So I wonder (and fear for) what will happen if people proceed with this CF update (and any of these changes are “made for folks”) and then things start failing, with whatever settings they have (or that get changed), when they don’t work. Of course, folks could uninstall the update, but will that undo changes to the connector (workers.properties)? And how will any update done to that file deal with current settings that users may have tuned (like for connection_pool_size, max_reuse_connections, etc.)
It’s not clear from the technote (on my first read it, and I have not yet even been able to apply the update myself), to know what will happen. I’m putting all this out there as a caution for folks, and to start the conversation here.
I know that was a lot to take in. Perhaps it should have been its own blog post. I do look forward to thoughts others may have, and I may share more here (or in a new post).
You must be logged in to post a comment.