ColdFusion (2021 release) Update 3

ColdFusion (2021 release) Update 3 (release date, 17 December, 2021) addresses vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046.

If you had applied the mitigation steps in Log4j vulnerability on ColdFusion, we still strongly recommend that you apply this update.

UPDATE: After applying the December updates, you need to upgrade the Log4j 2.x jars to Log4j 2.17 jars. For more information, see this document.

We are aware of scanners flagging cf-logging.jar as vulnerable. After analyzing the vulnerability, we are confident that ColdFusion installation is safe from any possible attack vectors. Nevertheless, we will be removing the vulnerable classes in the upcoming release.

Prerequisites

1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
   • http.proxyHost
   • http.proxyPort
   • http.proxyUser
   • http.proxyPassword
3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated the the latest update.

All installed packages also get updated.

Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

1. Download the hotfix installer and repository from the link. If you are on Update 2, apply this hotfix directly, or else, follow the steps below.
2. Unzip to a place where it can be accessed by all ColdFusion server instances.
3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

If the core server hotfix installation is successful and if there are errors  or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

• Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-003-329779.jar
  
• Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-003-329779.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .

For further details on how to manually update the application, see the help article.

Post installation

Uninstallation

To uninstall the update, perform one of the following:

• In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
• Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00003-329779/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00003-329779}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration