ColdFusion (2021 release) Update 16

Security recommendations

For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.  

• ColdFusion 2023 Lockdown Guide
• ColdFusion 2021 Lockdown Guide

ColdFusion (2021 release) Update 16 (release date, September 10, 2024) resolves a critical vulnerability that could lead to the deserialization of untrusted data. 

View the security bulletin, APSB24-71, for more information.

The update also addresses the bug CF-4223435, where the previous installation caused certain packages to be uninstalled.

Q: Will Update 16 automatically install the uninstalled packages if I didn't install them after Update 15?

A: No, if you did not install the missing packages after installing Update 15, Update 16 will not automatically install them. You will need to install the packages manually.

Q: What happens if I had installed the missing packages after Update 15?

A: If you had installed the packages after installing Update 15,  installing Update 16 WILL NOT uninstall any packages.

ColdFusion JDK flag requirements

COLDFUSION 2021 (version 2021.0.0.323925) and above

For Application Servers   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.

For example:   

• Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   
• WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   
• WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.  

Prerequisites

1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
   • http.proxyHost
   • http.proxyPort
   • http.proxyUser
   • http.proxyPassword
3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated with the latest update.

All installed packages that needs an update get updated.

Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

1. Download the hotfix installer from the link.
2. Unzip the repository to a place where all ColdFusion server instances can access it.
3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

• Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-016-330307.jar
  
• Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-016-330307.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account with permission to restart ColdFusion services and other configured webservers.

For further details on manually updating the application, see the help article.

Post installation

Uninstallation

To uninstall the update, perform one of the following:

• In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
• Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00016-330307/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00016-330307}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

Packages updated