Announcing ColdFusion updates released Dec 23 2024: p1 security update
An update for ColdFusion has been released today for both cf2023 (update 12) and cf2021 (update 18). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update (CVSS Base Score of 7.4 out of 10).
In this post, I share the details about the update (from Adobe and from others, including pointing to some discussions I've already started online about the update). Note also that while you may read that the update is related to the CF PMT feature, beware presuming it therefore "doesn't apply to you" because you "don't use it". See the next section for more.
Of course, this is terrible timing for an update, but it is what it is. I can report I have installed both updates on multiple machines and operating systems without incident. And I may do a follow-up post on the update as I/we all learn more.
For more details, read on.
Sadly, since cf2018 is no longer supported, Adobe has not documented how to deal with this issue for that version. I have an idea, though.
There should be a "servlet mapping" for a "/pms" url, and I bet if we just commented that out it should be an effective mitigation. It seems it's the calls made by bad guys to that url which allows them to leverage a vuln.
The file is web.xml, in the cfusion/wwwroot/WEB-INF folder (and in any instance folder that's a sibling to cfusion, for those running multiple instances). Save a copy before editing the file, and be careful to use html/xml comments (two dashes) rather than cfml comments (three dashes), to surround the lines related to that pms servlet mapping.
I'm writing from a phone. I hope to have time this weekend to dig in, but in the meantime (or if I lose track) I wanted to get this out there.
I would want to update the post to remove my mistaken suggestion, and the I'd replace with these steps in some more detail.
Let me know if that works for you, if you confirm before info.
Thanks, again, Bill.