ColdFusion 2021 and 2018 October Security Updates

October 11, 2022

SauravGhosh Follow

(1)

Comments

(16)

October 11, 2022

ColdFusion 2021 and 2018 October Security Updates

SauravGhosh Follow

(1)

(16)

(1)

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In these updates, we’ve fixed a few security and feature-specific bugs, along with other libraries. We’ve also introduced support for M1 macOS.

We’ve also refreshed ColdFusion 2021 installers. You can find the refreshed installers on the ColdFusion downloads page.

For more information, see the tech notes below:

NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes for ColdFusion 2021 Update 4 are located in the folder, /ColdFusion2021/cfusion/hf-updates/hf-2021-00005-330109/backup/lib/updates.

These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB22-44.

The Docker images will be hosted shortly on Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

cf2018 updates

cf2021 updates

coldfusion 2018

language

security

updates

(1)

SauravGhosh Follow

16 Comments

Zoltan5FD4

Mar 15, 2023

Zoltan5FD4

Mar 15, 2023

The downloads for these updates do not match their MD5 signatures posted next to them. Have they been reissued? If so, can you please update the MD5 signatures so we can verify them?

Details:

On the page ColdFusion (2021 release) Update 5

File: ColdFusion (2021 release) Update 5 (MD5: 7abc6c0d3b1fc0a72f7020af11eba56c)

The actual MD5 is 39f0c68144587dab24f5a2816da2fb6d. In addition, some files inside the JAR have modification dates of 15 Feb 2023.

On the page ColdFusion (2018 release) Update 15

File: ColdFusion (2018 release) Update 15 (MD5: da38bb17075ce051b67f1e72164daefb )

The actual MD5 is 406b686de1bb0b9009034311286f4d96. In addition, some files inside the JAR have modification dates of 15 Feb 2023.

Please confirm.

()

(1)

Charlie Arehart

Zoltan5FD4

's comment

Mar 16, 2023

Charlie Arehart

Mar 16, 2023

Zoltan5FD4

's comment

Good catch, Zoltan. First, I can confirm what you see, but also I can explain WHY the jars changed. And yes, their mistake now is merely that they need to update the technote with that new MD5 hash when new versions of the update files were placed there in mid-Feb.

As for WHY the update jars were updated then, it was that the jars were re-signed by Adobe with something other than an old SHA1 java signature, as was required as of Java 11.0.17 which was released in January, otherwise Java signature verification would fail. More specifically the problem was that anyone who applied that JVM update (or later) to a CF instance found then that the CF admin feature to download an update would get a “failed signature verification” error.

So Adobe corrected that problem on that date of Feb 15, when hey re-signed the jars… FWIW as “SHA256withRSA, 4096-bit key”.

What’s needed now is for them to update the technote with that new MD5 hash, yes, for the sake of humans or processes which check THAT hash (not to be confused with processes that check that SHA256 signature). To be clear, the new update would work with older Java 11 versions.

FWIW, I have a blog post discussing the problem when it first arose (in Oct 2022 after Java 11.0.17 came out), where I pointed out Adobe’s need to re-sign the jars and also discuss the jarsigner feature of Java that can be used to check that signature for a jar.

()

Legorol

Jan 29, 2023

Legorol

Jan 29, 2023

According to the tech notes:

“LOG FILES PAGE IN COLDFUSION ADMINISTRATOR

In the list of log files, the buttons to View, Download, and Delete a log file have been removed. Also, the log files are no longer clickable.”

After installing this update on CF 2021, I can confirm that I can no longer view, download or delete any log files through the CF Administrator’s Log Files section. The only remaining options are to Archive or Disable logging on a log file. This means there is no mechanism in the CF Administrator to view the contents of the log files.

Why was this change made and how are we supposed to view the contents of the log files now?

(1)

(4)

Charlie Arehart

Legorol

's comment

Jan 29, 2023

Charlie Arehart

Jan 29, 2023

Legorol

's comment

Legorol, we’ve only been told it was for security reasons, with the implications that those features had some vulnerability. We’ve heard no more detail, though the question has been asked in many places.

As for what you’re supposed to do, it would seem their expectation would be that either one would use the file system, or could consider writing ther own code to show themselves the logs (assuming one wouldn’t themselves open some vulnerability).

But *I* can offer you a different solution. I have a blog post from November showing how to restore the functionality. As I say clearly there, this is a ENTIRELY at one’s own risk:

https://www.carehart.org/blog/2022/11/3/restoring_admin_logviewer

But without any clarity on what the “risk” is, people have to decide if their “need” exceeds their trust in Adobe’s concern over the vulnerability. Not a great situation, no.

()

Legorol

Charlie Arehart

's comment

Jan 29, 2023

Legorol

Jan 29, 2023

Charlie Arehart

's comment

Charlie, thank you very much for the very quick reply. I also appreciate the workaround you posted on your blog.

I understand that I’m a couple of months late to the party, but I have looked through coldfusion.adobe.com and haven’t seen this issue discussed before. Apologies for bringing it up in case I missed something.

Could you perhaps link me where this has been discussed anywhere off-site?

()

Charlie Arehart

Legorol

's comment

Jan 29, 2023

Charlie Arehart

Jan 29, 2023

Legorol

's comment

Legorol, let me say first that the domain coldfusion.adobe.com (this portal) is not the only (or even necessarily the first) place on Adobe’s site to look for such discussions. There is also the Adobe cf forums, and in fact this topic was raised there, with someone asking the same question–and me offering an answer with that link and more:

https://community.adobe.com/t5/coldfusion-discussions/log-files-page-in-coldfusion-administrator/m-p/13319752#M193683

Second, as for any “off-site” discussion, I doubt there’s anyplace with more than what’s in my post. But I think you mean “where have people asked Adobe about it and been told only that it’s a security issue, without replying to further pressing”.

Well, I can confirm that as of today, they’ve not replied in comments on it here, nor in that other thread, nor in my blog post–and I don’t see it having been discussed at all at tracker.adove.com.I’m pretty sure I’d seen it asked and not answered in slack or Twitter, but I don’t have those specifics readily available. I can confirm also that I’ve asked Adobe folks directly myself and could get no further clarification than just “it’s a security issue”. (And that’s not too uncommon, if the fear is that discussing it would clarify how non-updated servers could therefore be attacked.)

I’d think here would be perhaps the best place to press the point, if that’s your motivation for asking. Or let us know if you ask for a different reason.

()

Legorol

Charlie Arehart

's comment

Jan 30, 2023

Legorol

Jan 30, 2023

Charlie Arehart

's comment

Thanks Charlie for the link to the discussion forum.

Yes by off-site I meant something like that discussion link. Thanks for the info.

()

TMG2004

Oct 12, 2022

TMG2004

Oct 12, 2022

Tried to update CF 2021 from Update 3 to Update 5 and received the following. We had to rollback to Update 3 which at least now runs our sites but we can’t get into ColdFusion Administrator after we login. The coldfusion-out.log files says the following which I would like to get fixed first so we can get back in to Administrator.

Could not initialize class net.sf.ehcache.config.ConfigurationFactory The specific sequence of files included or processed is: C:\ColdFusion2021\cfusion\wwwroot\CFIDE\administrator\enter.cfm

Below are the logs from the attempt to update.

“Fatal”,”main”,”10/12/22″,”08:16:18″,””,”Unable to install Logging package: java.lang.NoSuchMethodError: org.apache.logging.log4j.util.StackLocatorUtil.getCallerClassLoader(I)Ljava/lang/ClassLoader;”
“Information”,”main”,”10/12/22″,”08:16:18″,””,”Unable to initialise CFStartupServlet:Unable to install Logging package: java.lang.NoSuchMethodError: org.apache.logging.log4j.util.StackLocatorUtil.getCallerClassLoader(I)Ljava/lang/ClassLoader;”
“Information”,”main”,”10/12/22″,”08:16:18″,””,”ColdFusion: application services are now available”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The ClientScope service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The Runtime service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The Security service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”null”
“Error”,”Thread-2″,”10/12/22″,”08:18:58″,””,”The Logging service is not available. This exception is usually caused by service startup failure. Check your server configuration.”
“Fatal”,”main”,”10/12/22″,”08:19:35″,””,”Unable to install Logging package: java.lang.NoSuchMethodError: org.apache.logging.log4j.util.StackLocatorUtil.getCallerClassLoader(I)Ljava/lang/ClassLoader;”
“Information”,”main”,”10/12/22″,”08:19:35″,””,”Unable to initialise CFStartupServlet:Unable to install Logging package: java.lang.NoSuchMethodError: org.apache.logging.log4j.util.StackLocatorUtil.getCallerClassLoader(I)Ljava/lang/ClassLoader;”
“Information”,”main”,”10/12/22″,”08:19:35″,””,”ColdFusion: application services are now available”

()

(1)

daveg76322212

Oct 11, 2022

daveg76322212

Oct 11, 2022

Getting the following after installing Update 15 for CF 2018:

“localhost is currently unable to handle this request.
HTTP ERROR 500″

Restarting didn’t help. The install log says everything was successful.

Please advise.

UPDATE: Found this error in the logs:
SEVERE: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [Servlet execution threw an exception] with root cause
java.lang.NoSuchMethodError: coldfusion.runtime.CFPage.XmlSearch(Lcoldfusion/xml/XmlNodeList;Ljava/lang/String;)Ljava/lang/Object;

()

(2)

sdsinc_pmascari

Oct 11, 2022

sdsinc_pmascari

Oct 11, 2022

“NOTE: After applying this update, you must reinstall any custom hotfixes that might have been applied earlier.”

Why don’t you include previous hotfixes in these updates?

()

(3)

daveg76322212

sdsinc_pmascari

's comment

Oct 11, 2022

daveg76322212

Oct 11, 2022

sdsinc_pmascari

's comment

@sdsinc_pmascari – as I understand it, the update is cumulative. By “custom hotfix” I assume they mean pre-release or similar code from Adobe.

()

Priyank Shrivastava

daveg76322212

's comment

Oct 12, 2022

Priyank Shrivastava

Oct 12, 2022

daveg76322212

's comment

If you have received any custom patch for a bug that you encountered and that is not part of the update, you need to copy that in the current setup. When you update the server, it will remove any custom patch that you had previously applied and copy the same to the backup folder.

()

Priyank Shrivastava

sdsinc_pmascari

's comment

Oct 12, 2022

Priyank Shrivastava

Oct 12, 2022

sdsinc_pmascari

's comment

We did QoQ and couple of other patch in this update which we were unable to include in previous update as they were purely security updates.

()

Add Comment

You must be logged in to post a comment.