ColdFusion (2021 release) Update 19
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2021 release) updates.
What's new and changed
ColdFusion (2021 release) Update 19 (release date, April 8, 2025) resolves several critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution, and security feature bypass.
View the security bulletin, APSB25-15, for more information.
With this update, the serialfilter.txt file present in cfusion/lib will be replaced. So if you already have custom entries added to the file, copy the custom entries from the backup file (cfusion/hf-updates/{version}/backup/lib).
New JVM flags in this update
- -Dcoldfusion.cfencode.decryption.enable
- -Dcoldfusion.pdfg.connectionTimeout
- -Dcoldfusion.datasource.blocked.properties
- -Dcoldfusion.compiler.block.bytecode
View JVM arguments in ColdFusion 2023 and 2021 releases for more information on the flags.
cfencode removal
In ColdFusion (2025 release), the cfencode.exe/cfencode.sh was removed. In this update, the utility is now removed in ColdFusion 2023. However, if you still want to use the previously encoded files, set the JVM flag -Dcoldfusion.cfencode.decryption.enable to true.
IP filtering for HTML to PDF conversion
ColdFusion has introduced IP-based filtering on the Jetty side. View cfhtmltopdf for more information.
Add-on installers
In this update, the add-on installers are refreshed. If you're using the standalone PDFg service, you must reinstall the add-on.
If you want to learn more about securing Solr, see this blog. Find the refreshed installers in ColdFusion downloads.
Known issues in the update
- Sometimes, you are unable to create a PDF due to PDFg service authentication failure. As a workaround, update the service manager and retry creating the PDF.
- If you encounter an issue when using PDF Engine 1.0 on Linux, set up the service on Windows and access it remotely.
- If you encounter the error message, "java.lang.NoClassDefFoundError: coldfusion/document/DocumentScope" while publishing a document to PDF using PDF Engine 1, then clear the Felix cache and restart ColdFusion.
- NullPointerException occurs when executing the CLI command using the ColdFusion Docker image- docker run --rm -it -v ./mywebroot:/app -e acceptEULA=YES adobecoldfusion/coldfusion:latest cli file.cfm. After ColdFusion starts, run CLI from the container.
- If the file jetty-ipaccess.xml is not present in <cf_root>/cfusion/jetty/etc folder, create one with the steps in cfhtmltopdf, and restart Jetty server.
ColdFusion JDK flag requirements
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
Installation
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated with the latest update.
All installed packages that needs an update get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer from the link.
- Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-019-330379.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-019-330379.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account with permission to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
If you are on Java 11.0.20 or higher and want to apply the Hotfix, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.
However, if you are applying the update from the Administrator, you do not require any flag.
Post installation
After applying this update, the ColdFusion build number should be 2021.0.19.330379
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00019-330379/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00019-330379}/backup directory to {cf_install_home}/{instance_name}/
Connector configuration
| 2021 Update | Connector recreation required |
| Update 19 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 18 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 17 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 16 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 15 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 14 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 13 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 12 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 11 | Yes |
| Update 10 | No |
| Update 9 | No |
| Update 8 | No |
| Update 7 | No |
| Update 6 | No |
| Update 5 | No |
| Update 4 | No |
| Update 3 | No. You need not upgrade the connector if you have already upgraded the connector in Update 2. |
| Update 2 | Yes |
| Update 1 | Yes |
Packages updated
| Update | Packages updated |
| Update 19 | Yes The following packages are updated:
|
| Update 18 | Yes The pmtagent package is updated. |
| Update 17 | Yes |
| Update 16 | No |
| Update 15 | No |
| Update 14 | Yes |
| Update 13 | Yes |
| Update 12 | No |
| Update 11 | Yes |
| Update 10 | No |
| Update 9 | No |
| Update 8 | No |
| Update 7 | No |
| Update 6 | Yes |
| Update 5 | Yes |
| Update 4 | Yes |
| Update 3 | Yes |
| Update 2 | Yes |
| Update 1 | Yes |
