Announcing ColdFusion updates released Sep 10 2024: P3 security update
Though the news is a couple of days old, I want to share with my readers that an update for ColdFusion has been released Tuesday, Sep 10, for both cf2023 (update 10) and cf2021 (update 16). In brief, the "only" change is to address a security vulnerability, which is listed in the associated ASPB (security bulletin) for the update as a "critical" severity (CVSS Base Score of 9.8 out of 10)...though curiously that also lists it as being merely a "moderate" priority (3 out of 3).
Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes in those updates from March and June of this year.
And there's still more to consider. Note that if somehow "it's all too much" for you, I can help directly and likely VERY quickly. See my discussion at the bottom here. Otherwise, for the details, read on.
I would like to thank you thorough details provided. That's been helping us to better understand the product (CF), strengths and limitations. I would like to point Adobe's position on fixing binaries vulnerabilities in the range of critical and highs. As CF customers we don't see a clear roadmap addressing those as the time goes by and the end life cycle of CF 2021 is approaching fast. We are eager to see frequent updates around security in the next coming months. Best regards,
I just updated my lower environments from Update 10 to Update 16 (I know, I'm slow!). Unfortunately this has resulted in my RESTful services no longer working. When I go into the Admin and try to refresh it, I get this:
Error registering REST service. Please ensure that you have entered a proper mapping and path.
Application [service mapping] could not be initialized.
Reason: null
I did add -Dcoldfusion.searchimplicitscopes=true to the JVM because I have very old code that do not scope and it would take me a while to fix them (I will -- I just can't do it right now).
Any advice would be much appreciated!
And when you lament that the "end life cycle of CF 2021 is approaching fast" (Nov 2025), are you confirming whether the things that concern you may have been taken care of in CF2023 (or any of the updates to either CF2023 or 2021)?
And then what if the issues you raise are addressed by CF2025? Is that somehow not an option for you? And if your point would be that "you can't know, because there's no roadmap"...well, I don't work for Adobe and so can't make them create one.
Indeed, in that you " are eager to see frequent updates around security in the next coming months", asking for that here is a bit like howling in the wilderness. Instead, you should raise this issue to Adobe.
If you want to raise it them directly, email either [email protected] or [email protected] (the latter may be better suited to your concerns here).
Otherwise, if you wanted to raise it to them publicly (so that others can see and perhaps chime in or at least benefit), you can either create a ticket at tracker.adobe.com, or open a discussion at the Adobe CF community forum (https://community.ad...).
But given the focus of this post, I would assert that further discussion of this general interest question here would be getting off-topic (and may not reach nearly the audience that the other options would).
https://community.ad...
Adding the application.cfc worked. Glad the solution was simple!
Thank you for replying to my post. I just want to provide an update as finally Adobe has prioritized some of the security dependencies. Now we can see they have been addressed in CF2021 Update 17 which are really good news.
Just as a note when I referred to binaries scan I was talking about BlackDuck scans.
Thanks a lot.