ColdFusion (2023 release) Update 2
What's new and changed
ColdFusion (2023 release) Update 2 (release date, 14 July, 2023) addresses vulnerabilities that are mentioned in the security bulletin, APSB23-41. These updates resolve a critical vulnerability that could lead to arbitrary code execution.
ColdFusion provides an option in the Administrator to restrict IPs from accessing the ColdFusion Server, by specifying allowed IP addresses.
Adobe recommends enforcing the IP restrictions on your server to make it more secure. To learn more about applying the restrictions, view this document.
After you enforce the restrictions, the vulnerability CVE-2023-38205 will be addressed.
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
ColdFusion JDK requirements
COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
Installation
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated the the latest update.
All installed packages also get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Click the link to download the JAR.
- Execute the following command on the downloaded JAR. You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
Windows: <cf_root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-002-330482.jar
Linux-based platforms: <cf_root>/jre/bin/java -jar <jar-file-dir>/hotfix-002-330482.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .
For further details on manually updating the application, see the help article.
Post installation
After applying this update, the ColdFusion build number should be 2023,0,02,330482.
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2023-00002-330482/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2023-00002-330482}/backup directory to {cf_install_home}/{instance_name}/
Connector configuration
2023 Update | Connector recreation required |
---|---|
Update 2 | No |
Update 1 | No |