[Looking for Charlie's main web site?]

Announcing ColdFusion updates released Dec 23 2024: p1 security update

An update for ColdFusion has been released today for both cf2023 (update 12) and cf2021 (update 18). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update (CVSS Base Score of 7.4 out of 10).

In this post, I share the details about the update (from Adobe and from others, including pointing to some discussions I've already started online about the update). Note also that while you may read that the update is related to the CF PMT feature, beware presuming it therefore "doesn't apply to you" because you "don't use it". See the next section for more.

Of course, this is terrible timing for an update, but it is what it is. I can report I have installed both updates on multiple machines and operating systems without incident. And I may do a follow-up post on the update as I/we all learn more.

For more details, read on.

Following are the topics discussed in this post:

A key point about this security update: its relation to the PMT--and why it may affect you unexpectedly

Note that if you read the update technotes (linked to below), you will see that this update centers on matters related to the Adobe PMT (Performance Monitoring Toolset). Don't let that diminish your attention: even if you "don't USE the PMT", you may still be vulnerable and should apply the update.

What matters instead is whether you have the pmtagent package/module installed within your CF instance. You can determine that by viewing the CF Admin "Package Manager" page, or using the "cfpm list" command (for those familiar with the cfpm tool, added in CF2021, found in the cfusion/bin folder or [instance]/bin). To be clear, if you have it installed, then even if you "haven't installed the PMT" or "don't have the PMT service running on this or any machine", or "don't have the PMT monitoring this CF instance", you are still impacted and therefore should install the update ASAP.

Of course, another option would to uninstall the pmtagent module--if you know you don't use it. (Just beware that someone could add it back.) You can remove it from the CF Admin "package manager" page, or via the "cfpm uninstall pmtagent" command.

BTW, note that like with the removal of many CF packages/modules, removing this pmtagent does NOT require a restart of CF. So for those who are stressed about not wanting to apply the update mid-day o rmid-week (as that WILL require a CF restart), at least you can know that you can mitigate this issue ASAP by removing the pmtagent package--again assuming you don't use the PMT/your CF instance is not being monitored by a PMT. (And if it IS, and you remove this, it just means that the monitoring of the instance by the PMT would stop. There should be no negative consequence to your CF instance itself, if you remove the pmtagent while it IS being monitored by a running PMT service.)

And if you may think "I never installed it", just note that various things presume to "install all packages", from the the full/gui CF installer, to the CF Admin Package Manager "install all" button, and the available "cfpm install all" command (which some folks suggest without blinking in trying to solve other problems). Even one who installs CF using its available zip install approach (new in CF2021) would then run its related cfinstall script and could tell that to install "all" modules. So you may "have the pmtagent installed" and not even realize it.

Finally, those who don't have the pmtagent module should still apply the update at some point. It's not entirely clear if this is the ONLY aspect of this CF update; and of course, this update would also be incorporated into any future CF updates that are released, so it's not like you can "skip it" somehow because you "don't use the PMT". Just get the update implemented, like any other.

Finding (and finding more about) the update

While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically: NOW LIVE! Adobe ColdFusion 2023 and 2021 December 2024 security updates.

And that points to the (very important) technote for each version's update:

You should definitely read those to learn more, as they discuss more about the relationship to the PMT, including several questions they anticipate, with their answers. (Indeed, it's unfortunate that the announcement on the forum still does NOT mention how this "critical vulnerability" could happen only "if the pmtagent package is installed on your ColdFusion server." (For more, see my comment about this from this morning on that forum thread.)

Finally note also that Adobe has posted a blog entry in the CF portal about the update (with essentially the same info): RELEASED- ColdFusion 2023 and 2021 December 23rd, 2024 Security Updates. (There tends to be more discussion in the forum announcement than the blog post, though not always.)

Some other resources to consider, discussing this update

Because this is a security update, it's already generated considerable discussion today. I want to point you to a few resources for your consideration, especially from Brian Reilly and Pete Freitag, who are stalwart security mavens in the CF Community:

What about those on CF2018? No update, but consider removing the pmtagent

Before wrapping up, I want to put out for consideration something that I expect eventually will be asked": what about those on CF2018? Since the PMT was introduced with CF2018, might they be vulnerable as well?

That's not discussed in the technotes or forum thread...because formal Adobe support for CF2018 ended in July 2023. As such, they don't offer even security updates for releases they no longer support. And they don't tend to acknowledge them at all in such security updates as this, which leaves one wondering whether those on CF2018 ARE impacted by this issue.

I don't know if we'll ever be told (or someone will determine it), but given the severity of this issue, certainly the least we can say one should do if still using CF2018 (you really shouldn't be!) is to remove the pmtagent, as I discussed above. If you are using the PMT (have the CF2018 PMT service running and monitoring your CF2018 instance), then of course this will stop that monitoring. This is where you have to choose between the potential security risk and having the PMT running.

Again, those on CF2021 or above can apply this update which solves the problem and allows them to continue using the PMT if they wish. (Those folks in the shocking situation of still running on CF2016 can ignore this matter, as it did not support the PMT at all. But there are far more significant vulnerabilities that have been addressed in the several CF security updates released since CF2016 stopped gettign support in 2021--nearly 5 years ago.)

Finally, a few topics related to CF updates that you may want to consider

Separate from the details, there are a few other matters that may interest you, which I have covered in my previous blog posts on the updates. What I said in them applies to this one as well, so I'd just point you to these last few topics in my post about the previous update in October:

  • What to consider, with regard to the 4 previous CF updates (possible breaking changes)
  • As with all CF updates, possible need to upgrade web server connector
  • Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
  • You can probably ignore the discussion of the -Djdk.serialFilter "ColdFusion JDK Flag

My discussion of those points starts at this point in that post from Oct.

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly, getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Then I list several of the online CF communities here.

For more content like this from Charlie Arehart: Need more help with problems?
  • If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
  • See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
Comments
Thanks for the heads up Charlie! Better today than tomorrow. I can also confirm that I have updated on more than 1 server and smooth so far.
Thx, Roberto.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting