October 11, 2022
ColdFusion 2021 and 2018 October Security Updates
Comments
(9)
October 11, 2022
ColdFusion 2021 and 2018 October Security Updates
Staff 42 posts
Followers: 36 people
(9)

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In these updates, we’ve fixed a few security and feature-specific bugs, along with other libraries. We’ve also introduced support for M1 macOS.

We’ve also refreshed ColdFusion 2021 installers. You can find the refreshed installers on the ColdFusion downloads page.

For more information, see the tech notes below:

NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes for ColdFusion 2021 Update 4 are located in the folder, /ColdFusion2021/cfusion/hf-updates/hf-2021-00005-330109/backup/lib/updates.

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB22-44.

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

9 Comments
2022-10-12 13:44:49
2022-10-12 13:44:49

Tried to update CF 2021 from Update 3 to Update 5 and received the following. We had to rollback to Update 3 which at least now runs our sites but we can’t get into ColdFusion Administrator after we login. The coldfusion-out.log files says the following which I would like to get fixed first so we can get back in to Administrator.

Could not initialize class net.sf.ehcache.config.ConfigurationFactory The specific sequence of files included or processed is: C:\ColdFusion2021\cfusion\wwwroot\CFIDE\administrator\enter.cfm

Below are the logs from the attempt to update.

“Fatal”,”main”,”10/12/22″,”08:16:18″,””,”Unable to install Logging package: java.lang.NoSuchMethodError: org.apache.logging.log4j.util.StackLocatorUtil.getCallerClassLoader(I)Ljava/lang/ClassLoader;”
“Information”,”main”,”10/12/22″,”08:16:18″,””,”Unable to initialise CFStartupServlet:Unable to install Logging package: java.lang.NoSuchMethodError: org.apache.logging.log4j.util.StackLocatorUtil.getCallerClassLoader(I)Ljava/lang/ClassLoader;”
“Information”,”main”,”10/12/22″,”08:16:18″,””,”ColdFusion: application services are now available”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The ClientScope service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The Security service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”null”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The Logging service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Fatal”,”main”,”10/12/22″,”08:19:35″,””,”Unable to install Logging package: java.lang.NoSuchMethodError: org.apache.logging.log4j.util.StackLocatorUtil.getCallerClassLoader(I)Ljava/lang/ClassLoader;”
“Information”,”main”,”10/12/22″,”08:19:35″,””,”Unable to initialise CFStartupServlet:Unable to install Logging package: java.lang.NoSuchMethodError: org.apache.logging.log4j.util.StackLocatorUtil.getCallerClassLoader(I)Ljava/lang/ClassLoader;”
“Information”,”main”,”10/12/22″,”08:19:35″,””,”ColdFusion: application services are now available”

Like
(1)
>
TMG2004
's comment
2022-10-12 14:52:30
2022-10-12 14:52:30
>
TMG2004
's comment

Hi,

Can you please clear the cfclasses from ColdFusion instance. If that doesn’t work, please send an email to cfsup@adobe.com

 

Like
2022-10-11 20:15:13
2022-10-11 20:15:13

Getting the following after installing Update 15 for CF 2018:

“localhost is currently unable to handle this request.
HTTP ERROR 500″

Restarting didn’t help. The install log says everything was successful.

Please advise.

UPDATE: Found this error in the logs:
SEVERE: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [Servlet execution threw an exception] with root cause
java.lang.NoSuchMethodError: coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;

Like
(2)
>
daveg76322212
's comment
2022-10-11 20:43:10
2022-10-11 20:43:10
>
daveg76322212
's comment

I found a temporary solution – if you lowercase XmlSearch, it works.

Like
>
daveg76322212
's comment
2022-10-12 10:02:31
2022-10-12 10:02:31
>
daveg76322212
's comment

You can clear the cfclasses and it will work.

Like
2022-10-11 16:16:26
2022-10-11 16:16:26

NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier.”

Why don’t you include previous hotfixes in these updates?

Like
(3)
>
sdsinc_pmascari
's comment
2022-10-11 20:45:59
2022-10-11 20:45:59
>
sdsinc_pmascari
's comment

@sdsinc_pmascari – as I understand it, the update is cumulative. By “custom hotfix” I assume they mean pre-release or similar code from Adobe.

Like
>
daveg76322212
's comment
2022-10-12 10:04:24
2022-10-12 10:04:24
>
daveg76322212
's comment

If you have received any custom patch for a bug that you encountered and that is not part of the update, you need to copy that in the current setup. When you update the server, it will remove any custom patch that you had previously applied and copy the same to the backup folder.

Like
>
sdsinc_pmascari
's comment
2022-10-12 10:05:24
2022-10-12 10:05:24
>
sdsinc_pmascari
's comment

We did QoQ and couple of other patch in this update which we were unable to include in previous update as they were purely security updates.

Like
Add Comment