[Looking for Charlie's main web site?]

Announcing ColdFusion update released Jul 11 2023: Priority 1 security update

Folks using CF2023, 2021, or 2018 will want to know that a Priority 1 security update has been released today affecting all 3 releases, update 1 for CF2023 (its first), update 7 for CF2021, and update 17 for CF2018 (its last). The security bulletin indicates that the updates "resolve critical and important vulnerabilities that could lead to arbitrary code execution and security feature bypass".

Update: 3 days after this update, Adobe released yet another, and then 4 days after that they released yet another, both p1 security updates. While I have posts on each of the two subsequent updates, the one on Jul 14 and then the one on Jul 19, the information below is still important and has details that I do not repeat in the later post.

For more resources as well as some additional thoughts on the updates, read on.

Updates to the post since initial release:

  • Jul 11; added the new last topic on Java 17 confusion
  • Jul 12: added a new table of contents and next 2 intro paragraphs; broke the java 17 point into its own section; pointed out that the Adobe container images for CF2023 were finally updated as well as the Ortus images and forgebox engines; added this "updates" list to allow folks to more clearly track such changes
  • Jul 13: added discussion of new article detailing one of the key vulnerabilities; updated the "quirks" discussion to note two Adobe corrections to the CF2021 and 2023 update technotes; added a conclusion to the post

After I list some key points about the update itself, I then share thoughts on some rather confusing aspects of the technotes and security bulletin. (Indeed, in the hours and days after its release and indeed this blog post, it seems these topics did indeed presage confusion reported by many in the community. I appreciate that many have found my post here to have helped bring some clarity--and calls to action for Adobe.)

To be clear, it's not so much that anything's "wrong" with the update itself. It seems clear everyone should endeavor to get it applied. The sections to follow are:

The key points some will want to know

So first are those key points, which may to some serve as a tl;dr about the update:

  • Judging from the update technotes for each, the update addresses only the security-related matters indicated in them (no other changes or bug fixes). That said, if you have failed to apply any previous ones, applying this update will incorporate those which MAY have other changes. It's imperative that you see the technotes for each update you're skipping. The update technote URL's always follow the same pattern, so just change the number to see the technote for an earlier update.
  • Other than always-terse verbiage in the security bulletin, it's unclear to me what these security issues were really about. But I see that Brian Reilly was one of the folks involved in reporting one or more of the vulns was found. Expect to see more on his blog, as he indicated in a tweet from the day of the update
  • Update: I learned today of a new blog post that details one of the key vulnerabilities fixed by this update. This may really interest some readers. More on this below
  • If you perform offline manual updates, see my discussion below about how at this writing the technotes offer only the jar not the zip (as was offered starting with CF2021 update 2)
  • And NO, you do NOT need (or want) to use Java 17 to do the update (with CF2021 or 2018), despite what the security bulletin states, also discussed below
  • Note as well that this is the last update for CF2018, as its end of life is in 2 days: Jul 13 2023, as I had blogged about before
  • Conversely, for those who may like to say "I always wait for the first update of a new version before considering it", this is technically the first update for CF2023--though I'm not sure it should qualify as that kind of "first update" after a release such folks are thinking of, which should includes bug fixes or changes, rather than only security updates that apply to all 3 currently supported versions
  • For those using the Adobe container images, I can report (at this writing) that both the Dockerhub CF repo and the Amazon ECR CF repo have been updated for the CF2023, CF2021, and CF2018 images. The same is true also regarding the Ortus Commandbox CF container images, and the Commandbox CF engines
  • And of course, if you may find you need help considering or performing the update, I am available to help via my short-term, remote consulting

But there are a few more points some readers may want to hear about. First up will be just some logistical matters, and then the points causing some confusion.

Resources for more on each update

Some of what I will say below relates to the technotes for the updates. Let me point out first, therefore, that the security bulletin above includes a link to each update's technote, as does a forum thread that Adobe posted today, and the Adobe blog post on it, so I won't repeat those individual technote links here.

You can also engage with Adobe in either place with questions or concerns. (I try to keep an eye on that and offer replies where I can, but feel free to direct any questions to me below.)

News from another source on a key vuln this update addresses

Update As I noted above, there was news shared Jul 12 of a new blog post from the ProjectDiscovery security site detailing one of the key vulnerabilities, "Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE". But within hours of it being posted, it was pulled down. Some are concluding that its details identified a vuln that was NOT yet fixed then (but may have been fixed by the update released on Jul 14.)

Something I found very interesting in reviewing that article (while it existed) is that they showed the exploit to be involving (again) the _cfclient querystring, which some will recognize as the root of the vuln fixed with the updates (for CF2021 and 2018) in March 2023.

And if you read my blog post from then, I'd shared a protection involving blocking requests that incorporate that _cfclient querystring. It seems that (judging from the post above), if you were to implement that protection then you could head off this sort of vuln if any others leverage it. (Indeed, if you're on CF2016 or 11--which introduced that _cfclient querystring for use with the cf mobile feature)--note that Adobe has no fix for you for this or that March vuln. But my March blog post proposes one for that, which again seems it would help with this one.)

There was also an update to the AutoLockdown tool for each release

Note that the update technotes for all 3 versions indicate that they needed to update the CF Lockdown tool, for those who may use that. As there is no update mechanism for that tool, the update technotes simply inform you to obtain a refreshed installer for that tool, which is available for each version from the CF downloads page.

It's unclear if this is implying that somehow there a vulnerability IN the tool or just in what the tool is protecting against. Certainly the hope is the latter. (Another question this begs is whether those who HAVE already run it should be expected to RERUN it. Adobe folks, can you please clarify?)

Don't get confused about the mention of "ColdFusion JDK requirements" "For Application Servers"

This next topic really deserves it's own post, as it's not really specific to this update. I'll write it here for now,and split it into its own post (and remove this and link to that) when I may do that later.

While I'm discussing these updates, let me clarify that the bottom of both the security bulletin and the update technotes have a section called "ColdFusion JDK requirements" which goes on to indicate that it's "For Application Servers". I find many people get confused about this, as it goes on to suggest a need to edit the JVM args to add a -Djdk.serialFilter and some additional values.

Please (PLEASE) note that the first sentence says "On JEE installations...". And if you are patient to skip all the instructions and read the LAST sentence of the section, it says, "Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation." Bottom line: this section is NOT talking to you if you installed CF either with the full/GUI installer or the zip installer (new since CF2021). This discussion is ONLY for those who have deployed CF as a WAR or EAR on a JEE server, like the Tomcat, WebLogic, or Wildfly as it goes on to mention. Sadly, some people who know that CF "has run on Tomcat since CF10" presume this refers to them. Again, if you are NOT deploying CF as an EAR or WAR then please do NOT implement these JVM args. I've often wondered what sort of weird crap and challenging "bugs" people hit might be caused by this simple mistake. And yes, I think Adobe could do better to clarify things in that section of the docs and I've raised the concern in the past. Just never seems to raise to a lever of concern/resolution.

Part of the problem is that a minority of folks even READ the technotes, then only some will make the mistake---and virtually none will recall doing it when filing bug reports, and I doubt Adobe folks tend to think to ask about it.

Mark Takata: might this topic interest you to tackle? :-) It just requires one new sentence: "This section does not apply to you, if you installed CF using the full/GUI or zip installer." And/or the sentence starting "On JEE installations..." could add "On JEE installations (when deploying CF as an EAR or WAR)...".

Moving on, if you only use the CF Admin to update CF, you can skip to the last section.

Quirks regarding offline manual update process

For those who may need to perform offline manual updating, this may interest you to notice.

1) The technote for CF2021 update 7 reverts back to showing download and use a jar file for manually updating, rather than a zip file as was offered starting with the technotes in updates 2-6. It's unclear if this was intentional or a slip. And FWIW, the technote for CF2023 update 1 also refers to using the jar file approach. For many folks doing manual installs, either approach has worked. For others, the zip approach was necessary. (And for many, all that was just all very confusing.)

Update: FWIW, I learned on Jul 13 that Adobe had at least added a clarification to the CF2021 update 7 technote, indicating now that "in this update, there are no updates to the packages". Technically the same thing SHOULD be said on the CF2023 update technote (but NOT to the CF2018 technote, since that version didn't have the notion of separate packages.)

I've long meant to do a post on the difference between the jar- and zip-based manual update process, as well as the new package mgt, but I never got to it. Again, for people who use the CF admin to update, or do manual updates while online (the majority of CF users, in my observation), this difference about using the jar or zip doesn't matter at all. If anything comes out of this change that's worth noting, I'll update this post or create a new one. For now, I just share the observation to help whoever it may.

2) Update: I can share that I learned today that Adobe removed the text in the technote that I discussed here:

Along the same lines, but even more confusing, is that the technote for CF2021 update 7 (like those for cf2021 updates 2-6,) includes (before the post install steps) a reference to a need to extract a zip into ajax folder--a step which to me makes no sense. I don't mean only for the sake of that update 7 technote (where there is no zip offered at all), but it didn't make sense even in the technotes for updates 2-6 which DID have the zip.

I have raised both questions above to Adobe today, so if you may see some change in the text such that what I refer to here is gone/different, do let me know as I'd want to update this post.

No, you do NOT need to update to Java 17, on CF2018 or 2021--NOR SHOULD YOU EVEN TRY!

Finally (and this is an update since my original post, 2 hrs after writing it. Thanks to Steve C for the comment below): if you're running CF2021 or 2018, no, do NOT update to or use Java 17 to run the update process, despite what the Security Bulletin says: "Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable".

That "where applicable" is key. To be clear, CF2021 and 2018 do NOT currently support Java 17, if indeed they ever will. You definitely do NOT want to change CF to USE Java 17 for those versions. And you don't NEED to (and I'd argue would not WANT to) use Java 17 to run the manual update process for them. Certainly the CF Admin update would NOT do that, as it would use the JVM thatC F uses.

This technote should say tell us to use a Java that corresponds to the CF version we are running, and only one that that version supports (but then they'd have to elaborate on what versions those are). They rarely document that. Instead, one has to infer it from what updates indicate. Both 2021 has only EVER supported Java 11 to this point. CF2018 first came out on Java 10, then was updated to support Java 11 (and even 12 for a time, though it was one of the short-lived Java verisons).

I track what Java versions CF supports both in every blog post I do about Java updates (like the last one in April), as well as in a table I keep updated here.

Conclusion

It's unfortunate that things can get as messy as reflected in this post (and this update). Again, for now there's nothing about the update itself to suggest you "not do it" (other than that some trying it offline are having struggles due to the lack of the zip).

Again, if you need help considering or performing the update, I am available to help via my short-term, remote consulting. But I offer these posts to give info to people who want/need to try to go it alone, as well as to serve as a heads up to folks who follow my blog or to help folks find explanations when they go searching for info. And in this case, I'm also pleading with Adobe to please consider cleaning this sort of stuff up. For some reason, this update more than others has gotten a lot of attention regarding these matters of confusion (though some points are really not "new").

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Thanks for the post Charlie. Always good to see your assessment of an update especially since we so infrequently get a priority 1 hotfix. I am one of those manual updaters and the lack of a zip link tripped me up a little. I posted here https://community.ad... about it but as of yet have seen no replies.

I did run the jar update on a development box and the only "change" in the cfusion bundles folder was the Date modified for the bundlesdependency,json file with no reference to a .007 hotfix.

I was also concerned about the need to run an external JVM since it must be to version 17 or higher according to the note on this page. https://helpx.adobe....

Why not just update the jvm used by ColdFusion? I guess I just don't understand that lift.

Thanks again for the notes.

SteveC
# Posted By Steve C | 7/11/23 3:58 PM
1) Agreed on the challenges of the zip/jar. Hope they will resolve that.

2) Thanks on adding the comment on the forum post (note I'd linked to it also)

3) Thanks for the news on what you see so far from running the jar. Do you mean you ran that on a dev box that was offline, or online?

4) Ugh about that Java 17 verbiage. I'd not noticed it. NO. You SHOULD NOT UPDATE TO JAVA 17 for use with CF2021 or 2018. Those versions do NOT support it. And NO, you don't want to use a DIFFERENT JVM version to do the update (manually) than CF uses.

Technically, the sentence you refer to says, "Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable". That "were applicable" is key, but not ENOUGH info, obviously. I will update my post to make that more clear (and I've covered it in my posts on the recent JVM updates, such as in April).
Yeah as to bullet 3) I ran the jar on a dev box that is offline. Though for the first time I did add the proxy lines suggested in the prerequisites in the jvm.config. I am going to patch a qa box that is offline without the http.proxy settings in the jvm to see if get a different behavior.

Also I always run HF against CF java. I just thought their note was meant to suggest that you MUST switch ColdFusions Java Version to higher that 17 (example 11.0.19) which is why I wondered why they don't just update the bundled java for such updates.

Anyway thanks for the reply! Back to patching for me.
# Posted By Steve C | 7/11/23 4:57 PM
Thanks for the first point. Understood on the second, which again I argue is confusion caused by them (and I hope clarified here a bit by me, in my comment and in the new final point I have since added to the blog post).

As for why they don't just update the JVM, I don't know either. They could (and sometimes they have). They don't even make it obvious to folks that it's their responsibility to do so, and then the resources they offer on how to do it are sparse and often quite dated.

That's why I offer the info I do, but it's sad to think how likely the vast majority of CF folks are clueless or confused about such things because of the lack of attention Adobe pays to such matters. (You don't hear me gripe publicly about such things, but situations like this just get my dander up.)

Heck, there's never been anything but a single blog post 4 years ago indicating that they license Oracle Java for us to use with CF! That leads some people to use openjdk's, but then in various places (if you can find them) Adobe clarifies that they only formally support Oracle Java.

It is a sad state of affairs. These are the kind of little things that fester away causing confusion constantly, each of which could take someone just minutes of effort to improve. If I had any authority at all, I'd demand immediate resolution to such things, which might take only hours of one person's effort, even if days to finally "appear" due to bureaucracy.
FYI the link to the blog post on projectdiscovery about the vulnerability 404's and I don't see it on their main page. Maybe it's been removed?
# Posted By Lisa | 7/14/23 7:09 AM
Now that there's a second patch I think it would be unconscionable if they didn't release more patches for 2018 if it's related to the same underlying issue...here's hoping adobe does the right thing.
# Posted By Chris | 7/14/23 2:19 PM
Thanks, Lisa and Chris.

Lisa, sad but true. Maybe it was deemed to have too much detail (exposing how to leverage the vuln). I hope to share more as I learn more.

Chris, good news there: they DID come out with an update for all 3. But currently the apsb link (offered in the technote for each) is failing. I have reported it, and was awaiting that before sharing news of the update.
I more meant future ones - like log4j which had several updates spanning weeks. It would be pretty crappy for adobe to just abandon 2018 if it's really the same underlying issue just more has been discovered about it.
# Posted By Chris | 7/14/23 3:48 PM
Chris, I hear you, but I really don't think we'll be able to know (if future security fixes for CF2021 and 2023 may in any way be "related" to these recent ones).

Sure, with log4j it was more apparent (and mostly needless melodrama, as there were never any reported vulnerabilities in CF related to log4j--but IT folks didn't want to hear that, they just wanted it "gone").

If anything, this should serve as a clarion call for folks on CF2018 to be working to get OFF of it. It's 5 years old, after all. And as you may know, it's not "new information" that it would EOL this week. It's always documented, and again I'd pointed out in that Jan 2023 post--as have still other folks.

As the saying goes, "it's better to light one candle than to curse the darkness".
Hi Charlie. Based on their notes. "Note: Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server. See the relevant Tech Notes for more details."

....we did in fact update CF2018 and CF2021 to the latest JVM (17.0.7). Unfortunately we found that on CF2021 servers it broke CFHTTP calls and those machines cannot get "Connection Failure" on all CFHTTPS calls. Oddly enough it didn't seem to break anything on the CF2018 servers.

We are thinking of just rolling back to JVM (11.0.19). However I'm concerned about their statement...."Applying the ColdFusion update without a corresponding JDK update will NOT secure the server".

Can we be confident that this statment is not true and we are in fact secure on JVM 11? Of course, like all of you I wish they would explain more like, why? Also, I wanted other to know that this broke CFHTTP calls for us.

Thanks Charlie!
Matthew, I covered that point of confusion in my post. I know, it was a LOT to read. See the TOC st the top. I do what I can. :-) Or see specifically the last point above at https://www.carehart...
I read through all of that, but I guess I'm just dumbfounded that they would publish such a warning when an update to JVM 17 isn't really needed or even supported. Thanks again for the great post and all of the useful info. Charlie! :)
Well, it IS supported, for cf2023. And if you'd "read all that", I guess I would ask why would you have tried then to run Java 17 with cf2021 (or cf2018)? I specifically explained that and why you should not.

If you mean you read that AFTER you tried it, OK. Your first note here didn't convey that. Anyway, if you're really just lamenting that Adobe has that sloppy wording, I'd already done that also. :-) There's not much more we can do.
Yes, that's correct. I was simply following Adobe's direction on their bulletin, so I had already updated JVM. Then when we ran into problems, and I was searching for info. I thought to check your blog...as we've worked with you in the past. Now I realize their statement was somewhat boiler plate and aimed at those few already on CF2023. Sorry for the confusion.
Fair enough. That's indeed why I'm here.

And yep, I recall our session in 2018. Hope my posts can help you and others to save you trouble.
I noticed a couple of issues with the refreshed lockdown installers:

The Windows version of the refreshed CF 2018 lockdown installer (ColdFusion_2018_Lockdown_WWEJ_win64.exe, MD5: ce20cb6fa3a0dcb641ac3032e6e7a6db ) has no digital signature. All previous versions of the lockdown installer were digitally signed.

The Windows version of the CF 2023 lockdown installer doesn't seem to be refreshed (ColdFusion_2023_Lockdown_WWEJ_win64.exe, MD5: 8a593c8b3e0d629ea8af81a49427352e ). The file is unchanged from its original release in May 2023.
# Posted By Legorol | 8/9/23 6:02 AM
Thanks, Legorol. I'd not looked closely at those details, so these will be helpful observations to folks using the tool. I appreciate your sharing them.

And they do sadly just add another layer to the state of confusion regarding these recent updates, first with respect to the lockdown tool specifically and then in general. Hoping that in time things will settle down and issues will be rectified.

Until then, I'd recommend you file a bug report at tracker.adobe.com. If you do, feel free to offer a comment here with the bug number so that interested folks could add a vote of support and also follow along.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting