This post is to announce the release of updates for ColdFusion 11 and ColdFusion 10.
These updates address the security vulnerability CVE-2014-3529, mentioned in the bulletin APSB16-30.
ColdFusion 2016 is not affected by this vulnerability.
Refer the following KB articles for instructions on how to download and install the updates.
ColdFusion 11 Update 10
ColdFusion 10 Update 21

30 Comments to “ColdFusion 11 Update 10 and ColdFusion 10 Update 21 released”

  1. Charlie Arehart
    It may be helpful for some folks to hear this: if you may build (or re-build) the web server connector for IIS after applying this update, the date of the isapi_Redirect.dll will show a date of August 19, 2016. But I have done a comparison to the previous one (which was dated Mar 3, 2016 for the past couple of CF10 and 11 updates) and it is binary identical.

    The technote for this update makes no mention of a need to update the web server connector, so I'm just offering this clarification of the date for future reference.

    If anyone would wonder, "what's this about updating the connector?" (some never notice that the technote for some updates DO say you need to update it), I'll share that I have a couple of blog posts on the topic. While I wrote them in the CF10 timeframe, they apply just as well to CF11:

    http://www.carehart.org/blog/client/index.cfm/2013/9/13/why_you_must_update_cf10_webserver_connector

    http://www.carehart.org/blog/client/index.cfm/2013/11/8/still_more_reasons_to_update_your_CF10_webconnector

    (As for those running CF2016, fortunately the update process for that takes care of the connector update for us, as one of the many improvements it offers regarding the web server connector. See the "Hidden Gems in CF2016" talk on my site, via the presentations link, for more on that.)
  2. Piyush
    The last CF updates that carried any connector related fixes were CF11 Update 7 and ColdFusion 10 Update 18.
    Since all CF updates are cumulative, you only need to reconfigure the connector if you are on an update level lower than what is mentioned earlier, or you have had applied those updates and not reconfigured the connector afterwards.
  3. Jörg Zimmer
    {subscribe}
  4. Miguel-F
    [subscribe]
  5. Leith
    Can you please provide the direct download links when you all post these types of updates or put them in the documentation? Our servers have no access to the internet so telling us to go click the download button does nothing for us. Every time one of these updates comes out we play the "where's the update files" game.
  6. Matthew
    [subscribe]
  7. Nimit Sharma
  8. Charlie Arehart
    Piyush, I can't tell if you were offering your comment to correct mine or add to it. I'll clarify that I was only pointing out the change of the date because it did in fact show up as a "new" date compared to the previous updates. I was affirming that it was indeed otherwise unchanged.

    As for the cumulative nature, I'll just note that I started to elaborate on that myself, but then realized that my blog posts I point to. :-)

    Still good for people to hear it again and more directly. Just wanted to clarify to any readers who may have been trying to discern if you were making some contradiction to what I'd said. I realize you were not. :-)
  9. Charlie Arehart
    Nimit, it's great that you shared those links here.

    **Honestly, though, can you guys instead get them listed in the update technotes (each link in its own technote)?** That way people who at least may look for the update there can find it. :-)

    Even better might be if the CF Admin update page itself would be modified to list the appropriate link for each release (10, 11, and 2016), so that folks who may not even think to look at the technote (but would look at the updates page) could be shown the link right there on the update page.

    You could maybe even make it "smart" and only show the link when there is no listed update (which means it would show to those who don't have web access on the server), or show it if they do the "check for updates" but it fails.

    But I think it would be wise just to put it at the bottom of the page under where updates would appear to simply say "if you have need to instead manually download the updates, here is where you can find them". It would help as well to point to a resource (the docs or a blog post) that walks folks through doing the update manually.

    Still, don't let better stand in the way of good enough: even if there's no chance or it will take too long to get this listed in the CF admin updates page, please, PLEASE get the links listed in the technotes and ensure they appear in each update technote going forward. :-)

    Thanks.
  10. Paul
    It would be useful if Adobe could provide a bit more detail about the scope of the vulnerability. The APSB mentions "parsing crafted XML entities", so is this an issue with the XMLParse function specifically? I'm just trying to determine whether this is a "full panic mode" patch that needs to be applied immediately (and cross our fingers something else doesn't get botched), or if it can be deferred if I'm not parsing XML entities via a public webservice or whatever.
  11. Pete Freitag
    @Paul - FYI Adobe has updated the security bulletin with the following: "As of September 1, Adobe is aware of publicly available proof-of-concept code, and we have modified the priority of these hotfixes from Priority 2 to Priority 1".

    That proof of concept code gives some more detail about the vulnerability. The takeaway is that if your application accepts any sort of office document (for example users upload them) and then it works with those files (eg cfspreadsheet) then you should patch your servers right away. Either way I would still try to apply security patches as soon as you can.

    Further if you are running CF9 or lower and are using any sort of office doc features you should upgrade to CF10+ since CF9 and below are considered "End of Life" and no longer patched or supported by Adobe.
  12. Bret
    Does the CF10 Update 21 require the Solr service? My CF10 server has never had Solr installed and when I installed update 21, this is the error I get when trying to get to the CF administrator:

    The following information is meant for the website developer for debugging purposes.
    Error Occurred While Processing Request
    The Solr service is not available.

    This exception is usually caused by service startup failure. Check your server configuration.

    The error occurred in Application.cfm: line 89
    Called from Application.cfm: line 85
    Called from Application.cfm: line 4
    Called from Application.cfm: line 1
    -1 : Unable to display error's location in a CFML template.
    ...
    Stack Trace
    at cfApplication2ecfm1780444099._factor0(C:/coldfusion/jenkins/workspace/CF10_HF21/cfusion/wwwroot/CFIDE/administrator/Application.cfm:89) at cfApplication2ecfm1780444099._factor3(C:/coldfusion/jenkins/workspace/CF10_HF21/cfusion/wwwroot/CFIDE/administrator/Application.cfm:85) at cfApplication2ecfm1780444099._factor9(C:/coldfusion/jenkins/workspace/CF10_HF21/cfusion/wwwroot/CFIDE/administrator/Application.cfm:4) at cfApplication2ecfm1780444099.runPage(C:/coldfusion/jenkins/workspace/CF10_HF21/cfusion/wwwroot/CFIDE/administrator/Application.cfm:1)

    coldfusion.server.ServiceFactory$ServiceNotAvailableException: The Solr service is not available.
       at coldfusion.server.ServiceFactory.getSolrService(ServiceFactory.java:97)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    ...
  13. Piyush
    Paul,
    The vulnerability is related to how OOXML documents are parsed. You may refer https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4264
    Applying the fix is strongly advised. Any specific reason you want to defer applying it?

    Charlie,
    just adding to the information you've shared. We will update our KB articles to mention whether a connector reconfiguration is required or not. But a reconfiguration is not required unless it is explicitly mentioned in the KB article related to update.
    Thanks for pointing it out.

    Bret,
    CF should be able function independently of Solr.
    Where and at what point, do you see the error stack trace that you've shared.
    Is it when accessing the CF administrator console or when starting the CF server, or in the CF exception log file. If it is the administrator console, is it when accessing the administrator home page or when navigating to the solr section in the administrator.
    I don't see that issue with my set-up. Can you pls. share your neo-solr.xml file at pnayak@adobe.com. The file should be at CF10_HF21/cfusion/lib/
  14. Charlie Arehart
    Piyush, thanks for offering to make more explicit in each update's release notes (whether a connector update is needed or not). I think it would be very helpful.

    On the matter of update release notes, can you also take on adding the link to the appropriate hotfix download page, for when people may not have online access from the server to do the download automatically? See the discussion in the comments above between Nimit and me.

    Thanks.
  15. Charlie Arehart
    Bret, on your issue with Solr, I really doubt that it's the update itself that caused an issue, but I think I may have a solution for you. First some other thoughts to consider:

    1) To be clear, while it's true that update 21 only added the one security update, we should note that they are cumulative, so that if you had perhaps skipped update 20 or others before it, you would be getting MORE than just update 21. You don't clarify that.

    2) As for what may be amiss, the first thing one should always do after applying updates (even if they seem or report to be "successful") is to check the update logs. It's not unusual to find that there was an error (and while sometimes such an error will stop CF coming up, sometimes it will not).

    I just posted a blog entry discussing dealing with errors in CF updates, including how to find them and what to do about them (which in fact grew out of my comment here, as it was getting longer and longer. There I could expand on the topic and make it of value for more than those reading here).

    http://www.carehart.org/blog/client/index.cfm/2016/9/6/solve_common_problems_with_CF_updates_in_10_and_above

    3) Finally, Bret, you may find there that there is no error at all with the CF update itself (do check the log, as discussed in my post. It's was worth confirming). So why then the problem with Solr?

    I would wonder whether it was not so much "the update" that caused the problem but the fact that you restarted CF. Is it possible that you or anyone there may have changed your JVM that CF uses, perhaps as part of the "update" process? That would only take effect when CF was restarted. Even if you didn't update the JVM CF uses, someone may have done it days or weeks before and not restarted CF at the time, so it's taking effect

    The problem is that they may have forgotten to tell Solr to use the same jvm update. (The following is worthy of a blog post, too, but I'm out of time. Hope to do it later.)

    Look at your jvm.config (in [cf]\cfusion\bin, or replace "cfusion" with the name of any instance you created if on CF Enterprise, Trial, or Dev edition). What's the value on the java.home line (usually the first uncommented line in the file)? If it names a path other than the jre within your ColdFusion folder, then someone has indeed changed that line, likely to support a later JVM. Nothing wrong with that, necessarily.

    But then look at the jetty.lax file in [cf]\cfusion\jetty folder, and specifically at its lax.nl.current.vm line (about 50 lines down, typically). If the path it points to (for the java command it names) is perhaps the [cf]\jre folder, but the folder named in the jvm.config points to a different JVM, that could explain your problem.

    If you change one of them to reconcile it with the other, you'll need to restart the instance (CF or Solar) to get the change to take effect. Do keep the file you change open, in case you need to revert it back (or save a copy before changing it, to revert back to).

    And do beware that on Windows, when editing these jvm lines, you must use a different slash than Windows would for separating folders. Instead of "\", use either a "/" or "\\". That's just the way of Java on Windows.

    Let us know how any of that goes, or take up Piyush on his kind offer.
  16. K Johnstone
    FYI, I had the same problem as Brett after trying to install ColdFusion 10 Update 21 (from 19).
    (i.e. "The Solr service is not available." on CF Admin login page - although other CF sites worked)

    Uninstalling the update didn't fix the error.

    Unfortunately the above ideas from Charlie Arehart & Piyush (and Googling for Solr etc) didn't really help.

    The update log file had a fatal error as coldfusion.exe was being used by another process (i.e. ColdFusion service hadn't finished shutting down before update started)

    So I eventually tried stopping all CF services & reinstalling the update manually, which worked!
    (e.g. http://blogs.coldfusion.com/post.cfm/how-to-download-and-install-coldfusion-10-hotfix-directly)

    Hooray! Hope this note helps someone else too :D
  17. Charlie Arehart
    K, just to clarify, what you propose is indeed what my comment on Aug 31 was getting at (in the step 2), although I did put the details in the blog post instead as it was getting long.

    But the "TLDR" summary I list at the top of the post does indeed summarize things: that when an update fails, you want to a) check the logs and often the solution will be b) stop CF yourself and run the installer manually from the command line. My blog post even points to the same URL you did, for help on manually installing updates. So we were indeed on the same page. Still, thanks for drawing this out more clearly. :-)

    Sorry I didn't pull those key points out here in my post as well (you'll see I had two other points related to Bret's need that I was also sharing). And there's a fair bit more people should know when it comes to understanding/resolving update failures, and that's what the post gets into and why I split it out.

    Anyway, glad that you just needed the "stop CF/reinstall the update" solution, and hope that may be the case for Bret. Still, it could be the other things, for him or other readers, and hope they may help also.
  18. Piyush
    K Johnstone,
    Thank you for sharing that information.
    I tried applying the updates in the same sequence as you (19 to 21) but I did not observe any issues. There were zero errors/warning in my update 21 installation log.
    Can you pls. share your update installer log (the one with the fatal error) with me at pnayak@adobe.com. Can you also mail your exceptions.log (present at <cf_root>/cfusion/logs) from around the time your CF server was restarted after the faulty update.
  19. Charlie Arehart
    Well, Piyush, you would not likely get the problem. I don't know if K was implying that, but I guess you read it that way.

    Let me repeat for everyone: the issue K had (and I suspect we'll find Bret had) was that their instance of CF did not stop when the update mechanism ran (and the log showed that), and that left CF botched.

    And in such cases, one generally will need to stop CF manually, then install the update manually, from the command line.

    (All that's what my blog post gets into, in more detail.)

    So I don't think we should have any reason to think that it's "what's in the update" (or "what updates were skipped") that is the crux of this issue they're reporting.

    Hope that's helpful (from someone who helps people resolve such update problems about weekly).
  20. Piyush
    Yes Charlie. That's the case in all likelihood. At least, based on K's report.
    The update process not being able to replace file(s) that is is supposed to, can lead to any number of unpredictable outcomes. But since we see two similar outcomes (K's and Bret's), I guess we might just double check the premises.
    I don't yet have the update installation logs for both the cases.
    In K's case, it would seem that the update process was not able to shut down the CF service, but we don't know yet if that was the case with Bret.
    The only reason I can think of why the updater was not able to restart the service, is that the user account that the CF process is using does not have the privileges to restart the service, assuming that the update was initiated from CF's admin console. Perhaps, K can confirm.
  21. Bret
    Thank you everyone for your suggestions. Apparently the "Subscribe to this comment thread" isn't working for me because I haven't received any emails alerting me to the replies.

    I did email Piyush the neo-solr.xml file and he confirmed that it did not cause the issue.

    Last night after reading the suggestions and waiting until the web site was not heavily used, I tried the manual process of stopping the services and installing the update. It was successful and the CF Administrator works once again.

    The update log file (ColdFusion10\cfusion\hf-updates\hf-10-00021\Adobe_ColdFusion_10_Update_21_Install_[timestamp].log) did list that the first update installation was unsuccessful:
    Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

    For what it's worth, I was at CF 10 Update 20 prior to this and had not changed the jvm recently. The server has been restarted since the jvm was updated.

    I will now plan to do future CF updates manually until this server is phased out next year.

    Thanks again everyone!
  22. Eric Shaffer
    CF11 Update 10 broke all of my generated PowerPoint reports that use the CFPRESENTATION tag. Rolling back the update restored the functionality to full working order. The official Release Notes say "certain" libraries were upgraded, but no specifics were mentioned. Has anyone else experienced this problem?
  23. Charlie Arehart
    Eric, have you first checked if you had any errors in the application of the update? And if so, did you try a manual update, perhaps?

    See my comment above from Sep 6 at 11:49a, where I addressed this in considerable detail for someone else who felt that a CF update "broke" something (and it proved instead ultimately to be as I proposed, that it was a failure in the application of the update instead).

    Please do get back to us to let us know how it went.
  24. Eric Shaffer
    Thank you for your response, Charlie. The first thing the server team did was to check the logs for errors and anomolies; they said they found nothing other than that the update had been installed. Everything else worked fine after the application of the update; only my CFPRESENTATION reports were whacked.

    I will show our server maintenance team your comments concerning a manual update and suggest they try it. I will let this group know how things go. I'm hoping I can prove you are correct!

    In the event it still doesn't work after a manual installation, I will try to collect more useful info for troubleshooting the problem.
  25. Charlie Arehart
    Eric, thanks for the update. I'll tell you: some people look only in the CF "logs" folder, and yes they will find a log that does indicate THAT the update was applied, but sadly it's NOT the log to look at to find IF the update had any failures. So do have them read that info (just point them to my blog post) and they should be able to tell.

    I really do think that it will be that, and not some bug in the update (though that can happen). Do let us know how it goes.
  26. Mike Duey
    Not sure if this is related to the CF11 update 10 since this is a new install and I installed the update before finding this discrepancy, but my Solr collections do not behave as they used to. I cannot cfsearch on more than one collection at a time. I can search and index OK on one collection, but <cfsearch name="search" collection="coll1,coll2"> hangs the service.
    Where can I start looking to find the problem? Can I just try to re-install the Addon service with the stand-alone installer?
  27. Charlie Arehart
    Mike, have you made sure that there were no errors in the application of the update? It's not tracked in the CF logs folder, but rather within the hf-updates folder. For more details, see a blog post I did with more detail: http://www.carehart.org/blog/client/index.cfm/2016/9/6/solve_common_problems_with_CF_updates_in_10_and_above

    If there are no errors in that log, then the next question would be whether you've seen anything interesting in any of the logs within the jetty folder (within the CF folders), which is where the solr service runs. I'll also note that you can use a tool like FusionReactor to monitor Solr (since it can monitor any Java application or server, and Solr runs atop Jetty, built-within CF.)

    I would not think running the standalone Solr/Add-on installer would be "the solution". Either way, do let us know what you find or how things resolve.
  28. Mike Duey
    Thanks Charlie...I looked up logs in hf-updates and it shows this:
    Installation: Successful.
    881 Successes
    0 Warnings
    0 NonFatalErrors
    0 FatalErrors

    However, I looked up the same log on my dev server (which is able to search two collections at once) and it shows this:
    Installation: Successful.
    899 Successes
    0 Warnings
    0 NonFatalErrors
    0 FatalErrors

    I assume all is OK despite the different number of successes since the servers did not have identical upgrade paths (I jumped straight to 8 on the production server and stepped through one or two previous updates on dev)

    I also found the logs for the AddOn service install (in /jetty) and they were different too.
    The dev server log shows this:
    Installation: Successful.
    678 Successes
    0 Warnings
    0 NonFatalErrors
    0 FatalErrors

    And the prod server log show this:
    Installation: Successful.
    672 Successes
    0 Warnings
    0 NonFatalErrors
    0 FatalErrors

    This seems strange because I installed both servers from the same install file (ColdFusion_11_WWEJ_win64.exe). Should they have the same number of successes even though they both report a successful install? Note that one was a development install and the other a production (not the high security one) install. Perhaps that could account for the different number of successes?

    I will install a copy of FusionReactor and see if I can get any other hints.
  29. Lance
    We are trying to install CF 11 update 10 and are encountering an error I've never experienced before. Anyone have any idea what might be causing these files to be locked? We've run this on other Mura servers with no problem...


    Summary
    -------

    Installation: Unsuccessful.

    894 Successes
    0 Warnings
    6 NonFatalErrors
    9 FatalErrors

    Action Notes:

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Failed to copy hotfix files:C:\Users\muraservice\833774.tmp\dist\cfusion\db\slserver54\bin\swagent.exe: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Failed to copy hotfix files:C:\Users\muraservice\833774.tmp\dist\cfusion\db\slserver54\bin\swsoc.exe: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.

    Failed to delete directory: Ensure that the server is not running or files are not locked by the server.
  30. Lance
    Please disregard my message above. I found this post from Charlie that answers my question. I should have looked better before asking.

    http://www.carehart.org/blog/client/index.cfm/2016/9/6/solve_common_problems_with_CF_updates_in_10_and_above

Leave a Comment

Leave this field empty: