Folks may want to hold off on the Sep 24 2019 CF updates

Posted At : September 26, 2019 12:05 PM | Posted By : Charlie Arehart
Related Categories: updates, cf2016, security, connector, cf2018
Comments: (9)

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Update (Nov 20, 2019): Adobe announced today that they'd come out with a new set of updates to fix the problems in the Sep 24 updates. Today's updates address the various issues reported below about the Sept update. It's important to proceed with performing the updates, for the benefit of the security updates as I discussed below back in Sept.

I shared here Tuesday the news that Adobe had announced there were new updates for CF2018 and 2016, released that day.

But as has happened every few releases, a lot of folks are reporting various problems, enough for me to say that folks may want to hold off on applying these updates, which I realize is a risky proposition since the update includes security fixes.

For more, read on.

--
Update Nov 13: Adobe has released a preview of new updates, meant to address the issues in these Sep 2019 updates. For more, see my post: https://www.carehart.org/blog/2019/11/13/preview_available_for_new_coldfusion_updates//

Update Sep 27: Adobe has commented below (Sep 27) saying that there are now fixes available for the bugs reported (but that you must request each directly from them, and that an update refresh is not planned). See Vamsee's comment below, and my reply to that (asking for a bit more detail). For now, I have added any links I've seen to fixes for any of these.
--

Of course, if you need something in the update and want to try it, just be sure to do ample testing, and check out some of the problems people are reporting below. And beware that some issues may only happen under load, so you may not find them in your own testing.

Otherwise, let's see if Adobe may either "refresh" the update or may well "pull" it, as they did with the Feb 2019 updates for CF 2016 and 11, when they replaced those with another a week later (see the "Note" about it at the top of that page).

If you may want to hear what sort of problems folks are reporting with the Sep 24 updates, you can see them in the comments of the Adobe blog post, and in comments on my blog post, as well as in bug reports at tracker.adobe.com (see below, or if you search for CF bugs, they are shown in reverse chronological order--and you can even indicate that it show those created after Sep 23). Finally, I've also been hearing from clients directly, as I've related in my own comments on the two blog posts.

Some of the bug reports so far

This section is new since my original post:

I have decided to go ahead and share here briefly some of the errors being reported about the update, including direct links to bug reports if they exist. This is not meant to be "the complete list". Also, I am NOT committing to keeping this list updated as new ones may be added. I just wanted to help as of today, at least. Use my suggestion above about getting Tracker to show a list of all bugs created beyond today.

I'll start with those that DO have bug reports. Note that I show here the titles people choose for the bug, which may refer to either CF2016 or 2018, or their respective updates 12 or 5, but the given problem may well apply to either release:

"CFTransaction exceptions thrown when CFTransaction not used", resulting in the error "Datasource names for all the database tags within the cftransaction tag must be the same" (tracker ticket CF-4205269)
Update: fix available See the comments in that ticket, where Adobe requests you reach out to them at [email protected] to obtain the fix directly from them.
"CF2018 Update 5 : Intermittent issue with CF admin page running on external web server" (cf-4205252), and CF2016 - intermittent 404 after Update 12 (cf-4205361).
Despite the first ticket title, this seems related to other issues people have reported with the updated CF web server connector, and how they get 404s or worse, and how some report that if they don't update the connector then their sites don't work, which is a real catch-22--forcing them to revert to the previous CF update, and the previous web connector. Seeming related are instances of requests failing with, "The requested URL was not found on this server!", with the isapi_redirect.log containing entries for these requests referring to "jk_check_for_path_attack" and "Path attack using", reported in that cf-4205361 tickets.
Update: fix available! See an Adobe blog post on the connector fix.

And there are a few that seem to refer to the same "nesting" issue (but may have different info or comments, so worth reading each):

"Nest CFOUTPUT error in hotfix 5 (hf-2018-00005-315699)" (CF-4205250)
"A query driven queryloop tag is nested inside a queryloop tag UPDATE 12" (CF-4205262)
"CF 2016 Update 12 on Windows Server returns nesting errors in cases where CF 2016 Update 11 and lower does not" (CF-4205257)
"Weirdly specific/odd nested structure issue post CF2016 update 12 + java update" (CF-4205251)

Update: fix available? Adobe has mentioned in the first bug report there (CF-4205250) that they have a fix for this, and at this writing, the fix for CF2016 is offered in that. See the "attachments" section of the page and comments, where I ask about CF2018 also. Until it may be added, again reach out to [email protected] to obtain the fix directly from them.

Finally, there has been an issue raised about cfhttp processing hanging (with a proposed workaround from Adobe of a jvm argument "to try" (-Dcoldfusion.http.usepooling=false):

CF2018 Update 5: Server unresponsive (another ticket with more clarity about http processing, CFHTTP Randomly Hangs After ColdFusion 2018, Update 5, was marked as a duplicate of this one)

There are still other issues I've seen reported, though for now I have not seen bug reports for them, such as:

An issue with cflogin and unexpected ALLOWCONCURRENT behavior

I hope someone experiencing these or any issues will open the bug report. (I am reluctant, as I have only hear-say information, but I have seen it from multiple folks.)

"But I want the security updates ASAP"

This is indeed a tough situation when it happens, because the updates do include important security fixes, so some people naturally want to get THOSE fixes in place, ASAP. (It's not clear for now if the "problems" are related to either the security fixes, the bug fixes, or the new features.)

Where you can find at least one security "fix"

I will say that at least with respect to one of the vulnerabilities (fixed in those troubled updates), Pete Freitag had emailed customers of his HackMyCF service with news of the vuln earlier this month, and included a fix for it. He has not shared that info publicly, because discussing either the problem or the solution would give exposure of the vulnerability to those who would abuse the information.

But he did share it with his customers. I already have long-recommended his service (indeed, all his tools), but getting access to such useful information as a HackMyCF customer makes that service all the more beneficial.

Someone may assert that Pete should share that info publicly, now that Adobe has "offered a fix for it in the product". That's indeed a common approach for those who find/fix vulnerabilities: to hold off on sharing details until the vendor fixes them. But given the trouble with this update, he may well still be holding off sharing it, knowing that so many people may be reluctant to apply that update, and so could be exposed if the "bad guys" may see his post while many "good guys" may not and so may get attacked (more likely than if he had not posted the info).

It's a tough position to be in, and it's his decision to make.

Can't I just get the security updates somehow?

Finally, let's address the elephant in the room. For now, there's no way to get the security updates "only" and not the rest of the bug fixes/new features. Many of us have wished for that, but it's not as easy as it may seem.

But I think there is a good model Adobe could follow. I have blogged about that separately, as I think it deserves to stand on its own.

For more content like this from Charlie Arehart:

Signup to get his blog posts by email:

Follow his blog RSS feed

View the rest of his blog posts

View his blog posts on the Adobe CF portal

Need more help with problems?

If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services

See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed

Comments (9)

Related Blog Entries

Adobe should consider a different model for handling ColdFusion security fixes (September 26, 2019)
Sep 2019 updates released for CF2018 and CF2016, with a strange twist (September 24, 2019)

Comments

[Add Comment]

Charlie, thanks for posting this. I'm also seeing quite a few customers facing bugs related to this update. I'll double check your list to see if I can provide any additions.

Regarding the security aspects of this update, I do have a way to block at least one of the 3 issues, and as Charlie mentioned I did share this with HackMyCF customers ahead of the patch. I don't normally share this sort of thing before a patch is released, even though I'm occasionally aware of issues before the patch is released. Some details of the issue were unintentionally disclosed somewhere else, which is why I did in this case. I don't want to get into details because I know it takes time to ensure servers are patched, and with bugs that timeline will be longer than normal. You can reach out to me if you need additional info, but this workaround will not prevent all of the issues that have been patched.

It is a tricky balance of helping people prevent a vulnerability, while also not giving out too much info that could be used the wrong way. Doing my best to keep an eye out for ya'll, while maintaining that balance.

# Posted By Pete Freitag | 9/26/19 1:06 PM

Hi Charlie,

Gven that this is a security update, we would urge everyone to apply the update soon. We've fixes for all of the issues reported so far, so users can reach out to [email protected] to get the patch. We are not thinking of refreshing the updates just yet. For now, the patch should cover folks.

Thanks,
Vamsee

# Posted By Vamsee | 9/27/19 12:19 PM

Thanks, Vamsee. That could be encouraging, but I do have questions still, for everyone's sake.

First, I do acknowledge in my post(s) that this update includes important security fixes, and that therefore it's a worry for people to hold off applying them.

But second, you refer to "the patch" but there's not one, right? You mean "if users have any of the errors for which we have a patch, they can request that patch", so it may be many patches for some users, right?

And can you confirm that you have a patch for each listed bug report above?

And what about the two IIS issues listed (404's and "path attack")? If so, can you identify the bug tracker id for those, so people can properly refer to them when requesting the patch for that?

Thanks.

# Posted By Charlie Arehart | 9/27/19 12:25 PM

We can easily create a combined patch, Charlie.

We are still investigating the "cflogin allowconcurrent" issue. It doesn't look to be specific to this update and should have been an issue in Update 4 as well. We've fixes for the rest of the issues that were reported.

The two IIS issues being referred to are actually the same, so there is an updated DLL file we have as a fix (bug CF-4205252)

# Posted By vamsee | 9/28/19 2:07 AM

Thanks, Vamsee. Whether a combined patch is appropriate, I will leave to you and those suffering the issues. I was simply asking if you did mean you had "one" or "one for each issue". Thanks for clarifying that for now it would be one for each issue.

That said, I had asked if you had a fix for each. You refer to two of them, but there are (at least) 3 listed above.

Also, about the connector issue, you say "there is an updated DLL file we have as a fix (bug CF-4205252", but as I just visited there there was no indication that the bug report was "fixed" nor a link to any fix file.

But I just found in a forum thread about it that there is a fix. So I have just added a comment there, while I will repeat here for folks:

"Adobe has reported here [https://tracker.adob...] (as of early 9/28/19) that this is "bugverified", but it is not listed as "fixed" yet.

But in a thread in the forums, they are offering a new isapi_redirect.dll that fixes an issue with the connector. It's not clear if it's the same as this one, but it may be. Check out https://coldfusion.a..., which says:

"We have a patched isapi_redirect.dll which you can use.

Its placed in: https://www.dropbox....

Please let me know if this solves your issue.

You need to goto [CF Home]\config\wsconfig\[Magic folder for your connector]
Make a copy of the isapi_redirect.dll file
Replace it with the one I shared in the dropbox link
Restart the Application Pool for your IIS website

Thanks,

Kailash"

If anyone experiencing this issue reported here wants to try it, to see if it makes the problem go away, please do then report here how it goes, or perhaps Adobe will soon offer a clarifying comment. I'm just trying to help people juggling all the balls, to get the update in place ASAP, especially for the security fixes it includes."

Again that last comment of mine was within the quote of what I said on the bug report page, so if anyone has more info to share with Adobe about that fix for that or any connector bugs from this last CF update, please do offer them there: https://tracker.adob....

But Vamsee, if you want to offer any clarification here (or there) about things, I would certainly welcome it, on behalf of the community.

# Posted By Charlie Arehart | 9/28/19 9:50 AM

Charlie,

I just want to add that I run a macOS local development environment with Apache 2 and CF2018 and my CF Connector is not working following the September update. Apple also released macOS Mojave 10.14.6 Supplemental Update 2 on September 26th, which my system installed automatically. So, I am currently investigating if that update is somehow involved or otherwise complicating things.

Thanks,

Ryan Farrell

# Posted By Ryan Farrell | 9/30/19 9:51 AM

Interesting, yep. Thanks. So it seems Adobe has only acknowledged the iis connector as having a problem, at least in the issue listed in my post) as found by others).

It could indeed be an issue due to your update of apache. Cf still doesn't specifically the latest as of the cf updates last week.

You'll want to reach out to them, such as [email protected], for more on thst--or file a tracker report in the issue. Let us know what you find.

# Posted By Charlie Arehart | 9/30/19 4:59 PM

Ok, I think it was Apache not able to talk to the connector following the macOS update. I rolled back the CF update, then removed the connector. I then shut down Apache, which required a kill -9 on one process, then reinstalled the CF update. Finally, I reinstalled the connector and everything worked.

# Posted By Ryan Farrell | 10/1/19 9:28 AM

Good to hear, Ryan. Thanks for the update.

# Posted By Charlie Arehart | 10/1/19 9:31 AM

[Add Comment]

Sun	Mon	Tue	Wed	Thu	Fri	Sat
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30