ColdFusion (2023 release) Update 7

ColdFusion (2023 release) Update 7

Security recommendations

For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.  

Alert:

Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.

What's new and changed

ColdFusion (2023 release) Update 7 (release date, March 12, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-14.

This update includes several security fixes to ensure the safety and security of our systems. These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.

The following sections summarize the changes in the update.

In this document:

Significant changes in the release

SCOPE VARIABLE CHANGES

By default, if ColdFusion finds a variable name without a prefix, it used to check the variable in different scopes in a specific order. The application variable searchimplicitscopes=FALSE was introduced later for performance reason, which meant an unscoped variable wouldn't be searched in the scopes.

Starting with this update, ColdFusion will default to searchimplicitscopes=FALSE and if a variable name is not prefixed with a scope identifier, it can only be resolved by one of the impacted scopes (see below), which can be modified from outside the request.

Adobe has released a patch for ColdFusion (2023 release) and ColdFusion (2021 release) to help identify the unscoped variables in a log file, and take corrective actions. See View unscoped variables in a log file for more information.

What are the scopes that are impacted by the change?

  • CGI
  • URL
  • Form
  • Cookie
  • CFFile
  • Client

For example, the code below will fail with the exception, Variable TEST is undefined

<cfset cookie.test=1>
<cfoutput>#test#</cfoutput>

If I encounter the error, UndefinedElementException or Variable {xx} is undefined, what should I do?

Option 1: Correct application code to fetch values from the correct scope.

<cfset cookie.test=1>
<cfoutput>#cookie.test#</cfoutput>

*Option 2: Set searchimplicitscopes value back to TRUE.

This can be done by:

  1. Adding the newly introduced flag, -Dcoldfusion.searchimplicitscopes=true to the jvm arguments, or
  2. Setting searchimplicitscopes key to TRUE in Application.cfc or Application.cfm, in which case it will override the jvm flag set at the server level.

*This option is highly discouraged and should be considered only as a temporary workaround, until all application code is fixed.

View Application variables in ColdFusion for more information.

Note:

Changes in next major release

The JVM flag -Dcoldfusion.searchimplicitscopes will be removed in the next major release of ColdFusion, hence disallowing searching of an unscoped variable in the implicit scopes. This may require application code changes.

CHANGES IN CFDOCUMENT

By default, ColdFusion will now block all protocols, except HTTP and HTTPS when using <iframe src=" "> in the body of cfdocument.

You can allow other protocols using the -Dcoldfusion.iframe.allowedprotocols JVM argument, as shown below:

-Dcoldfusion.iframe.allowedprotocols=file,ftp

Other changes in this release

LIBRARY UPGRADES

  • Tomcat is upgraded to 9.0.85.
  • The log4j in cfinstall.jar is updated from version 1.2.17 to 2.20.0 for the zip installers.
  • jose4j.jar is updated from 0.7.12 to 0.9.4.
  • ib6coreutil is updated from 1.2 to 1.3.

Auto-discovery removal in Central Configuration Server (CCS)

FILes removed in this update

Some residual files for AIR, Server Manager, and Server Monitoring have been removed from the Administrator in this update.

Changes in cffile upload deny list

In this update, we've added the extensions jar, class, ashx, and asmx extensions to the default block list of CFFILE upload. 

To customize the block list,

  1. Navigate to Admin > Server settings > Blocked file extensions for CFFile uploads.  
  2. Select Restore Default Extensions.
  3. Submit the changes.

Note: If you’ve customized your block list, it will be deleted by clicking Restore Default Extensions. As a precaution, add jarclassashx, and asmx to your customized extension list and save the changes.

Package updates

We've updated the following packages in this update:

  • adminapi
  • administrator
  • ajax
  • ccs
  • db2
  • document
  • htmltopdf
  • mysql
  • odbc
  • pdf
  • presentation
  • print
  • report
  • saml
  • sybase

JSON Web Token (JWT) changes

The algorithm RSA1_5 is no longer supported in JWT.

Changes in CKEditor

The disallowed file types in CKEditor for file uploads have been updated to include .jar, .class, .ashx, and .asmx.

Bugs fixed in this update

Bug ID Description Component
CF-4219940 After installing the update, ColdFusion is unable to connect to SQL Server. Database
CF-4220252

Unable to import scheduled tasks using a CAR package in Docker.

View the updated ColdFusion serial filter documentation for more information.

Scheduler

Known issue in this update

  • In a cloud environment, ColdFusion servers configured to a remote CCS server before applying an update will appear disabled in the CF admin console of CCS Server. Any changes made from local CF nodes (i.e. CCS Clients) will not reflect immediately in remote ColdFusion nodes. You'll have to restart your CF server for the changes to take effect. 
  • Adding a new remote ColdFusion node after applying the update will also fail.

Prerequisites

  1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

ColdFusion JDK flag requirements

COLDFUSION 2023 (version 2023.0.0.330468) and above

For Application Servers

On JEE installations, set the following JVM flag, "-Djdk.serialFilter=!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.

For example:   

  • Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   
  • WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   
  • WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.  

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated the the latest update.

All installed packages also get updated.

Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

  1. Download the hotfix installer and repository from the link.
  2. Unzip to a place where all ColdFusion server instances can access it.
  3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

  • Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-007-330663.jar
  • Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-007-330663.jar

If the core server hotfix installation is successful and if there are errors  or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .

For further details on manually updating the application, see the help article.

Note:

If you are on Java 17.0.8 or higher and want to apply the Hotfix manually, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.

However, if you are applying the update from the Administrator, you do not require any flag.

Post installation

Note:

After applying this update, the ColdFusion build number should be 2023,0,07,330663.

Uninstallation

To uninstall the update, perform one of the following:

  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2023-00007-330663/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2023-00007-330663}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

2023 Update Connector recreation required
Update 7
No

However, if upgrading from Update 4 or any previous update, you must recreate the connector.

View the following for more information on creating and configuring connectors:

Update 6

No

However, if upgrading from Update 4 or any previous update, you must recreate the connector.

View the following for more information on creating and configuring connectors:

Update 5 Yes
Update 4 No
Update 3 No
Update 2 No
Update 1 No

Package updates

Update Packages updated
Update 7 Yes
Update 6 No
Update 5 Yes
Update 4 No
Update 3 No
Update 2 No
Update 1 No

Document revision history

  • 13 March 2024: Added the impacted scopes and related code samples.

Get help faster and easier

New user?