ColdFusion (2021 release) Update 14
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.
What's new and changed
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2021 release) updates.
ColdFusion (2021 release) Update 14 (release date, June 11, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-41.
These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.
Significant changes in the release
Change in default algorithm
We will change the default encryption algorithm to enhance the security of your data. The update is a result of a recently identified security vulnerability. Read on to learn more about the change.
Summary of the changes
- The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions.
- Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to make the change, if you need to use CFMX_COMPAT. By default, the value is False.
- The flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.
- However, in the next major release of ColdFusion, we WILL remove the flag.
What is changing
The default encryption algorithm in ColdFusion has changed from CFMX_COMPAT to AES/CBC/PKCS5Padding for the following functions:
Additionally, the default encryption algorithm of Hash function has changed from CFMX_COMPAT to SHA-256 hashing algorithm.
The default encryption algorithm for the following Rand* functions has changed from CFMX_COMPAT to SHA1PRNG.
SHA1PRNG is a random number generator
Why is this change important
Our top priority is the security of your data. By adopting a more robust encryption algorithm over a less secure CFMX_COMPAT, we aim to provide stronger protection against emerging security threats.
What if I still want to use CFMX_COMPAT
If you still want to use CFMX_COMPAT, use the new JVM argument, -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE. This will ensure that the encryption and rand functions default to CFMX_COMPAT.
Adobe recommends that you change the code to use the new default algorithm and use the flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault temporarily until you make the required changes in the code.
Note that CFMX_COMPAT is still available. However, it is no longer the default algorithm in the encryption functions.
How can I make the changes
To make changes to data that is encrypted and stored using CFMX_COMPAT, follow the steps:
- Retrieve the passwords.
- Decrypt using the CFMX_COMPAT algorithm.
- Encrypt the passwords again with the new algorithm.
- Store the passwords again.
Create new passwords for users whose passwords are already stored.
Generate the key
- For the CFMX_COMPAT algorithm, any combination of any number of characters is used as a seed to generate a 32-bit encryption key.
- For all other algorithms, a key in the algorithm's format is used. To generate the key for these algorithms, use the GenerateSecretKey function.
Now, if you'd used CFMX_COMPAT and the key you were using was in a format that won't work for other/new default algorithms, you must create a new key to have it work with the new default algorithm.
How do I know if CFMX_COMPAT algorithm is used in the code
If you haven’t specified any algorithm, check the function, for example, encrypt(myMessage,key), or if you’ve specified CFMX_COMPAT as the default algorithm, the following example function will confirm the same.
encrypt(myMessage,key,'CFMX_COMPAT', 'Base64')
Does the change in the default algorithm involve any code change
Adobe recommends that you change the code to use the new default algorithm and use the flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault temporarily until you make the required changes in the code.
Future updates
The flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.
However, in the next major release of ColdFusion, we WILL remove the flag.
Any change in the flag will require changes to the application code.
Cfdocument access control issues
We've introduced a new JVM flag: Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.
Any URL passed in the meta tag is, by default, blocked. If you want to use it, use the flag -Dcfdocument.metahttpequivrefresh.localfile=TRUE.
We recommend that the sanity of the URL be done before adding it to the meta tag.
Package updates
The following packages have been updated:
- document
- htmltopdf
- presentation
- report
CHANGES TO SOLR UPGRADE
If you manually upgraded Solr to version 8.11.2 using the instructions in Upgrade SOLR to mitigate security risks in ColdFusion, then after installing Update 8, SOLR will not downgrade to version 7.9.
ColdFusion JDK flag requirements
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
Installation
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated with the latest update.
All installed packages that needs an update get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer from the link.
- Unzip the repository to a place where all ColdFusion server instances can access it.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-014-330296.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-014-330296.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account with permission to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
If you are on Java 11.0.20 or higher and want to apply the Hotfix, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.
However, if you are applying the update from the Administrator, you do not require any flag.
Post installation
After applying this update, the ColdFusion build number should be 2021.0.14.330296.
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00014-330296/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00014-330296}/backup directory to {cf_install_home}/{instance_name}/
Connector configuration
2021 Update | Connector recreation required |
Update 14 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information. |
Update 13 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information. |
Update 12 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information. |
Update 11 | Yes |
Update 10 | No |
Update 9 | No |
Update 8 | No |
Update 7 | No |
Update 6 | No |
Update 5 | No |
Update 4 | No |
Update 3 | No. You need not upgrade the connector if you had already upgraded the connector in Update 2. |
Update 2 | Yes |
Update 1 | Yes |
Document revision history
- 13 March 2024: Added the impacted scopes and related code samples.