ColdFusion 11 Update 10 and ColdFusion 10 Update 21 released

This post is to announce the release of updates for ColdFusion 11 and ColdFusion 10.
These updates address the security vulnerability CVE-2014-3529, mentioned in the bulletin APSB16-30.
ColdFusion 2016 is not affected by this vulnerability.
Refer the following KB articles for instructions on how to download and install the updates.
ColdFusion 11 Update 10
ColdFusion 10 Update 21

Updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10 released

This article announces the release of updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB16-22.

ColdFusion 2016 Update 2

ColdFusion 2016 Update 2 fixes an important security issue. It also includes some other important fixes related to Language, Security Analyzer, AJAX, document management, SharePoint, CLI, API Manager and a few other areas.

For details, refer this technote.

ColdFusion Builder 2016 Update 2

ColdFusion Builder 2016 Update 2 (standalone) has been upgraded from Kepler to Mars. It includes important updates to Security Analyzer, a few bug fixes related to performance and other bug fixes. PhoneGap has been upgraded to 5.2.

For details, refer this technote.

ColdFusion 11 Update 9

ColdFusion 11 Update 9 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes.

For details, refer this technote.

ColdFusion 10 Update 20

ColdFusion 10 Update 20 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes

For details, refer this technote.

 

ColdFusion 2016 and ColdFusion Builder 2016 Update 2 are available for early access

ColdFusion 2016 and ColdFusion Builder 2016 Update 2 early access builds are now available for your testing and feedback.


Note: The early access builds mentioned here have now been released in final form. So do not use the prerelease files or info below, but rather see the later blog post:

http://blogs.coldfusion.com/updates-for-coldfusion-2016-coldfusion-builder-2016-coldfusion-11-and-coldfusion-10-released


Note that this is a test build and should not be used in a production environment.

ColdFusion 2016 Server

Change the update URL in ColdFusion Administrator -> Server Updates -> Updates -> Settings to the following:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/updates.xml

Refer this document for issues fixed.

Here are the install instructions for Server.

The build number after applying this update for ColdFusion 2016 should be 2016.0.02.299076

ColdFusion Builder 2016

Refer this document for issues fixed.

Here are the install instructions for Builder

Standalone installation:

Change the update URL in ColdFusion Builder -> Help -> Install New Software -> Add -> Enter this URL in the location field:

For Windows/Linux – https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31standalonerepo/

For OS X – https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31standalonerepomac/

Plugin installation:

Change the update URL in Elicpse 4.5.2 or above -> Help -> Install New Software -> Add -> Enter this URL in the location field:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31pluginsrepo/

What’s new in this Update

ColdFusion 2016 Update 2 :

  • Struct Serialization and Array Serialization :

For a struct, there isn’t a way to derive the data type info correctly and hence even today we see serialization issue where a "lastname" is being serialized as Boolean Bug #3337394.

We are providing an API on the Struct class to add metadata information to that struct object. This function will take a struct object wherein the key will be the actual key of the struct and value will be the data type of the value corresponding to that key. For example,

mystruct = StructNew() ;

mystruct.setMetadata({"lastname": "String", "age": "number"}) ;

structsetmetadata(simple,{"value":"boolean","firstname":"string", "currency": { "type": "numeric","name": "usd"}});

writedump (#mystruct.getMetadata()#); //returns: {ordered="insertion|unordered", keys={lastname="string", age="number"}}

For Array also we can set the metadata using setmetadata & getmetadata methods. Array metadata should contain the key “items” in the metadata which specifies the type of the array members.

array.setmetadata({"items":"numeric"});

writedump (#myArray.getMetadata()#); //returns: {"type":"synchronized", items="string"}

Application level support

Other than passing the type info at struct level, you can also define the at application level, like

this.serialization.structmetadata = {zipcode="String"};

If defined as above, you don’t need to define the data type for zipcode for all the struct which contains this key. At run-time, if the metadata of the struct is not passed at struct level but is defined at application level then we will resolve the struct value appropriately as per application metadata info. But if defined at struct, then the defined type at struct level will take priority over the application one.

  • Configure SSL– Access API Manager portals over HTTPS for better encryption and security
  • CAR settings migration– After deploying a CAR file, some settings are not migrated. You can view the list in the Archive Summary page (under the section Settings Never Migrated) while creating CAR as well as during deploying the CAR.
  • New member functions – ArrayDeleteNoCase, YesNoFormat, and BooleanFormat
  • CKEditor – FCK Editor has been deprecated. You can now customize and design text areas in a form using CK Editor in the cftextarea tag.
  • NTLM changes – The ntlmDomain attribute is required if a user is part of a domain. When the user is not part of a domain, the ntlmDomain attribute is optional.
  • Other bug fixes – API Manager, PDF, language, etc.

 

ColdFusion Builder 2016 Update 2

• Security Analyzer – You can view partial scan results after canceling a scan. Search for a file using the filename in Unscanned Files.

• PhoneGap – PhoneGap is upgraded to version 5.2.

• Other bug fixes – Performance, editor, Security Analyzer, etc.

We will look forward to your valuable feedback and suggestions.

Applying update on a ColdFusion instance running with a non-admin user

You may run into issues if you are using a non-administrator user account to install ColdFusion updates manually, or if an installation is attempted from the ColdFusion administrator console when ColdFusion service is running with a non-administrator account. In such cases, the update may not install successfully. and may complete with errors.

The Windows user account used by the ColdFusion service should have the privileges to start and stop the ColdFusion service. The updater needs to stop the ColdFusion service, so that it can replace the class files used by the service. After the update is installed, the updater starts up the ColdFusion service. Similarly if the updater packages any updates related to the other ColdFusion services, such as ColdFusion Add-On/Jetty service or ColdFusion .NET service or ColdFusion ODBC service, it would stop and start these services as well.

To avoid running into the issue above, one can take either of the following 2 approaches: 

 – Stop the ColdFusion service manually before running the updater jar. Restart the service, once the update is installed. This, of course, would need to be done every time you install an update; or

 – Assign the ColdFusion user account the privileges to start/stop the service. This would be a one-time fix.

If you are using Windows 2003 server, XP you can follow this blog post, to assign start/stop privileges to the ColdFusion service user account. But, if you are on a later edition of Windows such as Windows 7 or Windows 2012 server, you can keep on reading.

Windows Service Controller command can be used to set permissions on a Windows service. We will be using the following 2 variants of the command :

SDSHOW : To display the permissions on a service. 

syntax : sc [<ServerName>] sdshow <ServiceName> <ServiceSecurityDescriptor>

SDSET : To set the permissions on a service.

syntax : sc [<ServerName>] sdset <ServiceName> <ServiceSecurityDescriptor>

The security descriptors in the syntax above are represented by what is known as "Security Descriptor Definition Language" (SDDL). An SDDL descriptor has it's own syntax and formatting conventions which, at first, may seem a bit intimidating, and I might add, somewhat bland. But we will just dwell on the elementary details that are relevant to our purpose. If you want to get into the nuances of the Language you can check out the resources referenced at the end of this post.

Before modifying the permissions to a service , it would be a good idea to view the permissions first. To do that run the following command:

sc SDSHOW "ColdFusion 2016 Application Server"

You can find out the name of the service from the service properties in the Services window. The output should be something similar to the following :

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;SU)

I'll break down the output above into subsections and try to describe them.

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;SU)

The prefix D is for discretionary access control list (DACL) permissions. it identifies users or groups that are allowed or denied access to a secured object.

S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

The prefix S is for system access control list (SACL) which controls how access is audited. It enables administrators to log attempts to access a secured object in security event logs. This section is not pertinent to our interest, and hence will not be discussed further. 

Each segment enclosed by parentheses such as "(A;;CCLCSWRPWPDTLOCRRC;;;SY)", is an ACE or "Access Control Entry". It describes the permissions to a specific user or group.

The first letter in the ACE specifies the ACE type. 'A' here denotes "Allow". Similarly a 'D' would denote "Deny".

The next set of letters ("CCLCSWRPWPDTLOCRRC") denote the permissions. It is a combination of sets of 2 letters that specify the nature of permission. I'll list out the components below :

CC : SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration

DC : Delete All Child Objects

LC : SERVICE_QUERY_STATUS

SW : SERVICE_ENUMERATE_DEPENDENTS

RP : Read all properites

WP : Stop the service

DT : SERVICE_PAUSE_CONTINUE

LO : SERVICE_INTERROGATE

CR : SERVICE_USER_DEFINED_CONTROL

SD : Delete

RC : READ_CONTROL – read the security descriptor on this service.

WD : Modify permissions

WO : Modify owner

 

The last code in ACE denotes the trustee. Some of the values it can take are:

SY : Local system

BU : Built-in users

IU : Interactively logged-on user

BA : Built-in administrators

If the intent is to modify the permission for a specific user and not a group, then you should rather use the SID associated with that user account. Suppose the ColdFusion Application service is running with a non-administrator account called "cfuser". To get the security identifier (SID) for "cfuser" account, you can execute the following WMIC command :

wmic useraccount where name='cfuser' get sid

That should output something similar to the following:

SID

S-1-5-21-464414946-3681088821-1826911322-1510

To enable start/stop permission for "cfuser" on ColdFusion Application service, you can use the output generated in the SDSHOW command and append an ACE element for "cfuser" with the desired permission set, as follows : 

SC SDSET "ColdFusion 2016 Application Server" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;RPWPCR;;;S-1-5-21-464414946-3681088821-1826911322-1510)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

And, of course, you should run the command with administrator privileges.

If you are using other ColdFusion services, such as ColdFusion Add-on Services, ColdFusion .NET Service, ODBC Agent and ODBC server, you can follow the same steps as above to change permissions to them.

 

References:

https://msdn.microsoft.com/en-in/library/windows/hardware/ff563667(v=vs.85).aspx

The Security Descriptor Definition Language of Love (Part 2)

ColdFusion Builder 2016 Update 1 released

This update is a companion update to ColdFusion 2016 Update 1 and primarily addresses issues related to Security Code Analyzer and it’s performance.

The issues fixed for this release are listed in this document

This update is applicable for a standalone as well as a plugin installation of ColdFusion Builder. After applying this update, ColdFusion Builder build number should be 298831.

ColdFusion Builder has an automatic update notification that notifies the user of the updates availability.

Updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10 released

This post is to announce the release of updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB 16-16, upgrade the Tomcat engine and contain other bug fixes. 

ColdFusion 2016 Update 1

ColdFusion (2016 release) Update 1 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 8.0.32. This update includes several important bug fixes for security, core language features, server, and other areas.

For details, refer this technote.

ColdFusion 11 Update 8

ColdFusion 11 Update 8 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes several important bug fixes for security, language, AJAX, and other features.

For details, refer this technote,  

ColdFusion 10 Update 19

ColdFusion 10 Update 19 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes important bug fixes for security and server

For details, refer this technote

ColdFusion 11 Update 7 and ColdFusion 10 Update 18 are now available

This post is to announce the release of new updates for ColdFusion 11 and ColdFusion 10.

ColdFusion 11 Update 7

ColdFusion 11 Update 7 includes support for Windows 10 and OS X 10.11. Tomcat has been upgraded to version 7.0.64. This update addresses a vulnerability mentioned in the security bulletin APSB15-29 and also includes bug fixes related to connector, database, language, caching and certain other areas.

For more details, refer to this article.

ColdFusion 10 Update 18

ColdFusion 10 Update 18 includes support for Windows 10 and OS X 10.11. Tomcat has been upgraded to version 7.0.64. This update addresses a vulnerability mentioned in the security bulletin APSB15-29 and also includes bug fixes related to connector, language, caching and certain other areas.

For more details, refer to this article.

For those who have applied the early access release (pre-release) build of Update 7 or Update 18, follow the steps below to reinstall Update 7 or Update 18, as applicable.

1.     Uninstall Update 7 (PreRelease) or Update 18(PreRelease). 

2.     Reinstate the update URL by clicking on the “Restore Default URL” button in the “Server Updates” section in the ColdFusion administrator.

3.     Switch to the “Available Updates” tab and click on the “Check for Updates” button.

4.     Download and install Update 7 or Update 18.

 

ColdFusion 11 Update 7 is available for early access

Update: Since this post was made, the final version of Update 7 was released and should be used instead.

 

ColdFusion 11 Update 7 early access build is now available for your testing and feedback. It includes support for Tomcat 7.0.64, Windnws 10 and Mac 10.11 along with several bug fixes.

Please note that this is a test build and should not be used in a production environment.

Refer this document for the list of bugs fixed in this update.

Follow the steps below to apply this update.

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Under Settings tab, check "Automatically Check for Updates" check box
  3. Change the Site URL to https://cfdownload.adobe.com/pub/adobe/coldfusion/PR/updates.xml. 
  4. Click Submit to save your changes.
  5. Under the "Available Updates" tab, click on the “Check for Updates” button.
  6. "ColdFusion 11 Update 7(PreRelease)" should be listed under the "Available updates" tab. 
  7. Click on the "Download and Install" button to install the update.
To apply this update manually, click on this link to download the update jar. To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_007.jar
You should use the JRE used by CF for running the update jar (for standlaone CF, it should be <cf_root>/jre/bin)
MD5: 2248f3a1401fe658b40743102c5d5999
For further details on the manual application of the updater follow this help article.
 
The build number after applying this update should be 11,0,07,296112(PreRelease).

In case, you have configured local site for receiving the update notifications, then please take back up of the URL before changing it to the prerelease URL.

We will look forward to your valuable feedback and suggestions.
 

ColdFusion 10 Update 18 is available for early access

Update: Since this post was made, the final version of Update 18 was released and should be used instead.

 

ColdFusion 10 Update 18 early access build is now available for your testing and feedback. It includes support for Tomcat 7.0.64, Windnws 10 and Mac 10.11 along with several bug fixes.

Please note that this is a test build and should not be used in a production environment.

Refer this document for the list of bugs fixed in this update.

Follow the steps below to apply this update.

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Under Settings tab, check “Automatically Check for Updates” check box
  3. Change the Site URL to https://cfdownload.adobe.com/pub/adobe/coldfusion/PR/updates.xml. 
  4. Click Submit to save your changes.
  5. Under the “Available Updates” tab, click on the “Check for Updates” button.
  6. “ColdFusion 10 Update 18(PreRelease)” should be listed under the “Available updates” tab. 
  7. Click on the “Download and Install” button to install the update.
To apply this update manually, click on this link to download the update jar. To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_018.jar
You should use the JRE used by CF for running the update jar (for standlaone CF, it should be <cf_root>/jre/bin)
MD5: 412eb868a290cd635bed305f5658a0eb
For further details on the manual application of the updater follow this help article.
The build number after applying this update should be 10,0,18,296093(PreRelease).

In case, you have configured local site for receiving the update notifications, then please take back up of the URL before changing it to the prerelease URL.

We will look forward to your valuable feedback and suggestions.

ColdFusion 11 Update 5 and ColdFusion 10 Update 16 released

The following ColdFusion updates are now available for download:

ColdFusion 11 Update 5

This Update includes approximately 115 bug fixes related to Language, Mobile Support, File Management, Document Management, Administrator, Connector and several other areas.

It also addresses a vulnerability mentioned in the security bulletin APSB 15-07 and support for Apache 2.4.10. With this update the Web Server Config tool now backs up all the connector configurations files.

For the details refer this technote.

ColdFusion 10 Update 16

ColdFusion 10 Update 16 includes approximately 35 bug fixes related to File Management, ORM, Language, Document Management and certain other areas. It also addresses a vulnerability mentioned in the security bulletin APSB15-07.

For the details refer this technote.