We are pleased to announce that we have released the updates for the following ColdFusion versions:
The following are links to the tech notes for each update:
The releases address security vulnerabilities, which are documented in the bulletin APSB19-14.
In these updates, we have also introduced the following:
- A new application setting blockedExtForFileUpload to specify a comma-separated list of file extensions for file that must be blocked for uploading.
- In the ColdFusion Administrator, in Server Settings > Settings, there are is an option Blocked file extensions for CFFile uploads. Specify a comma-separated list of file extensions, which will be blocked from being uploaded by the cffile tag/functions.
- The Admin API, setRuntimeProperty has a new property, BlockedExtForFileUpload. The values are a comma-separated list of file extensions to restrict file uploading of the appropriate files.
For more information, see the tech notes and the tag/function documentation.
Staff
43 posts
SauravGhosh – when you guys add security features like this in an update are you also updating the Server Auto-Lockdown installer to include them? (I realize this only applies to ColdFusion 2018)
Miguel, I realize you as asking Adobe, but since it’s been a day, I’ll say that the answer seems “yes and no”.
First, the tool does offer to update CF to the latest available update, so from that perspective, yes the tool is “updated to include” the new security features.
But if you meant, “does the tool implement the new security features even if someone does NOT apply the latest update”, then no it does not itself implement the features.
Be aware CF11 hf 16 (up to and including hf 18) break URLEncodedFormat and builtin encoding such as in cfhttpparam, because it refuses to double encode anything. This will likely break things passing a previously encoded value. (I first noticed the problem as an oauth signature calculated over a return URL failed.)
I found an existing bug report: https://tracker.adobe.com/#/view/CF-4204045
Hello,
The checksum is not correct via https://helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html
489fdb288d73136b50d5f27993c981fa
It’s not the same as in https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml
8270f3d08054e87fb24d4dad7c0cacda
We are talking about a (security) patching, you should really improve your internal check
Thank you julien m for flagging this. We have fixed the error. Thank you.
-Saurav
What file extensions should we setup to block or does the extension default to already block certain extensions.
The list of extensions is offered in both the update technote (for each version) and the admin docs for the new setting, which each technote points to.
Please have a look at my comment concerning “No EURO symbol (€) in Report Builder generated PDF files in ColdFusion 2016 U-9” under: https://coldfusion.adobe.com/2019/02/coldfusion-2016-release-update-9-coldfusion-11-update-17-released/#comment-29703
Maybe someone has an idea where the error could be?!
We’ve also raised a bug with more details an files under: https://tracker.adobe.com/#/view/CF-4204059
A blacklist for file extensions is better than nothing and is appreciated. Please add an option that lets us specify a whitelist for file extensions.
Vincent, you can, in the ACCEPT attribute of cffile.
Another benefit of this fix (it seems, though not stated) is that that’s now honored even if the associated STRICT attribute is set to (or is left to default to) true.
Before the update strangely, any extensions there were ignored if true. That seems confirmed by the new wording added about the strict attribute, though I will raise a concern with them seperately about some info missing in the update of that text.
But Saurav, the technote (and blog post) ought to indicate that as another important change/benefit of this update.
According to this post, this update appears to be an urgent patch for ColdFusion 11, 2016 & 2018.https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/How come this isn’t stated in this blog post? It starts out with “we are pleased to announce”, but fails to mention that it fixes a critical vulnerability and that existing exploits are already being used.
Good point, James. I suspect Saurav simply reused the wording from previous update posts.
Indeed, it’s been quite a while (Jan 2013, I think) since an update was released that was such an emergency (or what some may call a zero-day) update, which seems pretty impressive as its own point.
Still, you make a good suggestion.
This CFMail bug was added in CF2016 U8/9, reported and immediately flagged to be fixed in update 10. https://tracker.adobe.com/#/view/CF-4204050 I just tested after upgrading to 2016.0.10.314028 and verified that it is NOT fixed.
James,
This was an unplanned time-critical update intended exclusively to address a critical vulnerability that was brought to our attention.
That and other bugs with the same release timeline will be re-targeted for the next update.
The technote links for CF2016 and CF11 are pointing to the previous updates (9 and 17 respectively).
Thanks for reporting that, Carl.
The technote for CF2016 is fixed. Looks like CF11 technote was correct.
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
