May 10, 2022
ColdFusion 2021 and 2018 May Security Updates
Comments
(19)
May 10, 2022
ColdFusion 2021 and 2018 May Security Updates
Staff 41 posts
Followers: 35 people
(19)

We are pleased to announce that we have released the updates for the following ColdFusion versions:

Note: The ColdFusion Add-Ons and lockdown installers are also refreshed. The refreshed installers are available at ColdFusion downloads.

In these updates, we’ve fixed a few security bugs, and upgraded Tomcat, along with other libraries.

NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes for ColdFusion 2021 Update 4 are located in the folder, /ColdFusion2021/cfusion/hf-updates/hf-2021-00004-330004/backup/lib/updates.

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB22-22.

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

19 Comments
2022-05-18 17:46:30
2022-05-18 17:46:30

Where might I get more information about one of the “known issues” listed for CF18 Update 14:

https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-14.html

“When applying Update 14 on ColdFusion with no built-in Add-ons, jetty folder is created with updated log4j jars which can be used in remote add-on installations.”

What are the implications of this “issue”?

Like
2022-05-17 23:11:33
2022-05-17 23:11:33

Just use trycf.com to debug issue we are having with CF 2021. Get different responses with CF 2018 and CF 2021.

<cfset xx = ‘1.’>
<cfif xx EQ ‘1.’>TRUE<cfelse>FALSE</cfif>

Fun stuff.

Like
2022-05-16 20:04:49
2022-05-16 20:04:49

Is there a list of special hotfixes that are available (like the one for Query of Queries?)

thanks
Xamax

Like
2022-05-12 10:38:01
2022-05-12 10:38:01

We just paid 5K in licenses and this is what you get grom Adobe. Quite disappointing.

Like
(1)
2022-05-12 10:37:30
2022-05-12 10:37:30

We just paid 5K (!!!) in licenses and this is what you get grom Adobe. Quite disappointing.

Like
2022-05-11 14:45:58
2022-05-11 14:45:58

Adobe, when can we expect a update to include existing special Hotfixes (Q of Q …)?

You already have the code. It’s been months, why not issue a separate Hotfixes to address this?

Can this Security update be listed on https://coldfusion.adobe.com/blogs/?

Like
(4)
>
ellipsisces1292chris
's comment
2022-05-11 14:54:36
2022-05-11 14:54:36
>
ellipsisces1292chris
's comment

Chris, do you mean instead, “why not issue a separate *update*”? FWIW, I’m definitely with you on your disappointment that the many existing hotfixes (since the Sept updates introduced bugs) are not included in this update. See my first comment below.

But then you ask if this update can be listed on the blog. That’s indeed what this post is doing. Or did you mean something different.

Like
>
Charlie Arehart
's comment
2022-05-11 15:19:42
2022-05-11 15:19:42
>
Charlie Arehart
's comment

Attachment

Hey Charlie, correct separate update, thanks for catching.

Believe in the past Security/HF updates were listed on the main ColdFusion blog page, it’s not listed there now. I had to hunt for this article it under “Discussion” > “Updates” section. Attached image is what I see on the main ColdFusion blog page.
https://coldfusion.adobe.com/blogs/

Thanks

 

Like
>
ellipsisces1292chris
's comment
2022-05-11 16:05:20
2022-05-11 16:05:20
>
ellipsisces1292chris
's comment

Chris, I see now. First, fwiw the blog post IS listed on that page you point to. It’s under the “Recent Blogs”, which is at the bottom. I have long complained that that section is not up near the top. Apparently, it’s a coding effort to get that changed, and there doesn’t seem to be anyone taking responsibility to do that.

But as for what is AT the top, the “Featured Blogs” (whose screenshot you show), some very good news is that what’s listed in THAT section is indeed editable by the blog admins (via configuration). And it’s just a matter of time for them to think to promote a blog post like this one that way: it’s not automatic.  Now that you’ve pointed it out, that should be done soon.

Until then, though, again folks who come to the front page of the portal looking for recent posts can at least find them, albeit at the bottom. 🙁 And FWIW, they also posted news of this update in the CF forums. Saurav has been good at doing that for each of the past few updates.

Like
>
Charlie Arehart
's comment
2022-05-12 12:17:29
2022-05-12 12:17:29
>
Charlie Arehart
's comment

Charlie, Thanks for taking a look and explaining. Looks like admins have promoted the article to the featured section. Thanks again.

Like
2022-05-10 17:47:31
2022-05-10 17:47:31

The community has been requesting a separation of bug/feature update patches from security patches for a very long time. This is the first time we are finally doing this, after more than a year of my championing it internally. There is no possible way that a patch or update would be able to tell which particular hotfix you may or may have not installed in order to change the code around in the patch (it would end up a nasty mess of if/else/then). So we move those hotfixes to a backup directory from which they are then able to be re-applied immediately following the security update. Apologies that the instructions and update did not include these directions, we are adding that nomenclature now.

Like
(1)
(6)
>
MarkTakata
's comment
2022-05-10 18:23:43
2022-05-10 18:23:43
>
MarkTakata
's comment

Those are two totally separate points.

On the first, I agree to the value of offering updates that are either sec fixes only or sec+plus bug fixes (and even new features). In fact I have called for it as well, such as my 2019 post on the topic.  But the problem is that there IS no “other update” that DOES roll in both the sec updates and your current known/tested hotfixes–some of which are now nearly 9 months existent. And so we’re stuck in the unfortunate state we’re in now.

On your second point (“there is no possible way”), this is confusing matters. No one was suggesting you do anything of the sort. I even acknowledged both WHY the update mechanism does remove current special hotfixes and I even showed HOW to resolve that, like you mention. And sure, it would help a lot if the technote were to clarify that.

But the bigger point is that we should not HAVE to be screwing around with this, as this update is 5 months after the Dec one. And most folks never read the technotes anyway, so we (you guys, I, and others in the CF support community) will be spending now hours, days, weeks and perhaps even months helping people with this–until you guys DO come out with the next update that DOES include current known/well-tested hotfixes.

Again, if it was released today as one of two options, I might have celebrated (though I’d need to see how it was implemented). Instead, I stand by my severe dismay at the confusion this will cause. (And please, don’t anyone throw in my face how this will make me more money in my troubleshooting consulting. It’s blood money, that no one should have to BE spending to get such help, when this could have been fixed by Adobe instead.)

I don’t get angry publicly with Adobe about much. (The last was perhaps when the CF Security Code Analyzer was made available in CF2016 for Enterprise only–and at least that seems to have been changed in 2021, as I blogged about last July.) This issue just REALLY irks me, and as much in sympathy with the majority of CF users who will be tripping over this for a long time now.

Like
(2)
>
MarkTakata
's comment
2022-05-10 18:38:37
2022-05-10 18:38:37
>
MarkTakata
's comment

We tried installing this and it bricked the server.  Attempting to uninstall produced a “Can’t uninstall this update” message.  Thankfully, our hosting service was able to get us back running fairly quickly.

Like
>
MarkTakata
's comment
2022-05-10 18:47:15
2022-05-10 18:47:15
>
MarkTakata
's comment

Still another issue (beyond the hassle of recovering fixes) is the simple matter that there’s no single resource helping folks know what ARE the current nasty bugs that have existed since the Sept updates, like the query or queries bug and its fix. I’d held off creating such a post as I kept hoping instead (the past few months) that the next update coming out WOULD include them all.

And this will affect not only folks who may be coming to the May 2022 updates without having applied the Sep or Dec ones, but it will also hit those installing CF2021 for the first time.  If they use the installer that was refreshed in Sept 2021, that will includes update 2 (and Java 11.0.11); if they use the original CF2021 installer from Nov 2020, that of course has NO CF updates (and Java 11.0.1). They will face the problem of the various bugs introduced in CF2021 update 2 in September. That’s all the more reason I find this to be SUCH a regrettable situation, that should have been fixed by now (May 2022).

Like
>
sdsinc_pmascari
's comment
2022-05-10 18:54:46
2022-05-10 18:54:46
>
sdsinc_pmascari
's comment

Hey Paul (sdsinc_pmascari), as for the update “bricking your server”, I’ll say that I doubt that’s an issue with this specific update. Such errors can happen (for a number of reasons) with ANY CF update, with errors during installation and that are logged in a special hotfix log file. FWIW, I have a blog post with more details, to help folks who face that situation.

Glad yours got resolved, of course.

(And while I can say I applied today’s update without issue, time will tell of course if somehow there MAY be something amiss about it. I just want to stress that there is usually an explanation that’s not about the update itself, but errors during its installation–which could have happened for you with ANY cf update, I mean.)

Like
>
Charlie Arehart
's comment
2022-05-11 18:01:36
2022-05-11 18:01:36
>
Charlie Arehart
's comment

There have been enough issues with updates, hotfixes, etc over the years that I cringe any time I have to install one.  Remember the one a few years ago that wiped out all your datasources!

Come on, Adobe.  You can do better.  It’s crap like this that makes CF devs feel like 3rd class citizens in Adobe’s world.

Like
>
MarkTakata
's comment
2022-05-12 12:10:14
2022-05-12 12:10:14
>
MarkTakata
's comment

Do we still need to keep the -Dlog4j2.formatMsgNoLookups=true argument in the JVM.config?

Like
(2)
2022-05-10 17:27:48
2022-05-10 17:27:48

Adobe! Please address this! I’ve been sent several hotfixes since ACF 2018 Update 13 and have been waiting for the next cumulative update.  Having update 14 automatically remove any manually applied hotfixes is irresponsible at best.

Like
(2)
2022-05-10 16:43:55
2022-05-10 16:43:55

What’s not said here (or in the technotes) is that the updates include NO bug fixes–I mean for bugs that have had FIXES for months, which could be corrected by those who knew how and where to get/apply the special hotfixes. It is borderline criminal that this update did NOT include those!

Most are bugs which have plagued CF since the Sept updates (update 2 for CF2021, update 12 for cf2018), and people have had to add special hotfixes (such as the one for query of queries, discussed and offered here.) It’s bad enough that this latest update does not AUTOMATICALLY include this and other long-known/-fixed bugs.

What’s worse is that when people DO apply this update, they will find that these special hotfixes they had added before will now be REMOVED. Sure, that’s the intended behavior of the update mechanism, since it came out in CF10: it would remove special hotfixes automatically on the presumption that the new update incorporated the fix. This one did not. And just as happened with the Dec updates (3 and 13), now people will find that any special hotfixes they had added will be removed.

Some “good” news on that point is that such special hotfixes are backed up along with all else that the update changes, and anyone who had added such a special hotfix could find it in the backup of the lib/updates folder. So for example, if you had applied the special q of q hotfix for CF2021 (hf202100-4212383.jar), after this update as a Windows user you would find it in /ColdFusion2021/cfusion/hf-updates/hf-2021-00004-330004/backup/lib/updates. you could copy the hf jar back into the cfusion/lib/updates and restart CF to get the “fix” back. (Do NOT copy from that backup the chf jar, as that would have been the cumulative hotfix jar for whatever update you were on BEFORE this one. If you had been on update 3, it would be chf20210003.jar. You do NOT want to put that in alongside of–let alone replace–the new chf20210004.jar that update 4 would have put in lib/updates.) 

But my point is that we should NOT be having to play these games (or worry about such matters), now nearly 9 months since multiple bugs were introduced in the Sept updates and long since fixed. That’s why I say this borders on criminal negligence to have dropped this ball. We could forgive it in December, which was an emergency fix for Log4j. But you’ve had 5 months since then to have packaged in such available hotfixes!

Like
(7)
Add Comment