The following ColdFusion updates are now available for download. These updates address a common XXE vulnerability in BlazeDS. For details refer the security bulletin hyperlinks in the sections below.

Users who are using LCDS with ColdFusion, should refer this technote, for updating their LCDS installation.

ColdFusion 11 Update 6

This Update addresses a vulnerability mentioned in the security bulletin APSB15-21. This update is cumulative and includes fixes from previous ColdFusion 11 updates.

For details, refer this technote.

ColdFusion 10 Update 17

This Update addresses a vulnerability mentioned in the security bulletin APSB15-21. This update is cumulative and includes fixes from previous ColdFusion 10 updates. 

For details, refer this technote.

50 Comments to “ColdFusion 11 Update 6 and ColdFusion 10 Update 17 now available”

  1. Adam Cameron
    [subscribe]
  2. Peter Boughton
    So update 6 includes all previous updates, which means it includes update 5, which is broken.

    How do people limited to update 4 ensure they are not vulnerable?

    Is there a way to ensure Flex/BlazeDS is fully disabled in a way that avoids the security issue? Is removing all flex-related servlet/servlet-mappings from Tomcat going to be enough, or is there more to do?
  3. Matthew C. Parks
    Update 6 does not have the issue I logged in update 5 within it. Bug 3971083. DEBUG information turned on does not allow application to run correct.

    https://bugbase.adobe.com/index.cfm?event=bug&id=3971083

    Status = Close Statu s= Fixed on bugbase, yet update 6 still has this issue. Come on now.
  4. Aaron Neff
    +1 to Peter's request for information on how to disable the vulnerable module.

    Also, updates should be module-specific.

    Thanks!,
    -Aaron
  5. David Epler
  6. Piyush
    David,
    The articles have been updated. Thanks for pointing that out.

    Aaron,
    All updates since ColdFusion 10 are cumulative.

    Matthew,
    We're targeting the fix for 3971083 in the next update release. Update 6 had to be pushed out quickly as it addresses a zero-day vulnerability.

    Peter,
    Pls. elaborate on what's broken in Update 5.
  7. Piyush
    Peter, Aaron,
    You can uncheck "Enable Flash Remoting" checkbox in the ColdFusion Administrator> Data & Services> Flex Integration.
    But pls. be warned that this will also disable the Server Monitoring feature in ColdFusion.
  8. Adam Cameron
    @Piyush: so to be clear here... someone who might not think they are usig BlazeDS so accordingly don't need this fix could conceivably be leaving themselves exposed if they are using server monitoring?


    Can you (ie: Adobe) be a bit less opaque about the reach of this issue? It's not that clear, I don't think.
  9. Jörg Zimmer
    [subscribe]
  10. Jörg Zimmer
    Hi all,
    I have a versioning issue after installing the updates on CF10 and CF11...
    I get version 11,0,06,289974 instead of 11,0,06,295053
    and version 10,0,17,282462 instead of 10,0,17,295085

    should I be worried or are the numbers in the hotfix-info wrong?
  11. Peter Boughton
    Thanks for the workaround Piyush.

    Adam, I don't think it's that opaque - the Server Monitoring functionality in CFAdmin is presumably making use of Flash Remoting (which is what BlazeDS provides).

    Assuming that's not used for Fusion Reactor, it'll be ok for us to disable it.
  12. Peter Boughton
    Piyush wrote:
    > Pls. elaborate on what's broken in Update 5.

    There were a number of issues, but the key one was JARs being locked:

    https://bugbase.adobe.com/index.cfm?event=bug&id=3956389
  13. Piyush
    Adam,
    The update needs to be applied to alleviate the threat, regardless of the fact whether you are using BlazeDS or not.
    If you got an impression that is otherwise, pls. point out the text in the content (here or the referenced technotes), so that I can see if that needs to be rephrased.

    Jörg ,
    Can you pls. mail the update installation log and the platform details to me at pnayak@adobe.com.
    You'll find them at the following location:
    <cf_root>\cfusion\hf-updates\hf-11-00006; <cf_root>\cfusion\hf-updates\hf-10-00017


    Peter,
    I still need to checked the details on what that bug is about, but it is yet to be fixed. I guess, we'll have to wait for it to be fixed, before we can consider shipping it in an update.
  14. Thilo Hermann
    I am unable to apply CF11/Update 6 manually:

    Downloaded via CF Admin (or https://cfdownload.adobe.com/pub/adobe/coldfusion/11/hotfix_006.jar)

    > [root@testserver hf-updates]# ./hotfix_006.jar
    > invalid file (bad magic number): Exec format error

    CF11, Update 5 installed on CentOS Linux, 64-Bit
  15. Thilo Hermann
    got it running, please ignore/delete my comment above
  16. Ron Stewart
    (subscribing)
  17. Matthew C. Parks
    @Piyush. SO one would need to apply the Hot FIx again on update 6 and it should work? I hope so I will attempt and report back.
  18. Phil Cruz
    [subscribe]
  19. Dave
    I appreciate that Adobe & CF Team have committed to moving this product forward and are providing updaters.
  20. Charlie Arehart
    Peter, to your question about whether disabling "flash remoting" in CF would affect FusionReactor, it would not. FR does not rely on it or amf for its processing. (And since FR5 a couple of years ago, it has not used Flash for its interface, either, for any who may wonder.)
  21. bobstamp
    [subscribing]
  22. Snake
    does this affect CF9 as well ?
  23. Oliver
    [Subscribed]
  24. Piyush
    Snake,
    yes, it does. I can share the instructions on how to fix it on CF9, if you write to me at pnayak@adobe.com
  25. Adam Cameron
    Why don't you just post the CF9 instructions here, rather than doing it via email?
  26. snake
    Piyush,
    can you not share the instructions here for the benefit of everyone ?
  27. Peter Boughton
    Thanks Charlie.


    Piyush wrote:
    > I still need to checked the details on what that bug [3956389] is about,
    > but it is yet to be fixed. I guess, we'll have to wait for it to be fixed,
    > before we can consider shipping it in an update.

    Or, instead of waiting, the CF team could be proactive about looking at what changed in update 5 and how it might have caused the bug.

    What code was changed to address 3776450 for example?
    Given that was about detecting JAR changes, there's a high likelihood of the changes being related.

    ...
  28. Ron Stewart
    Did the CF10u17 hotfix get pulled for some reason? I updated a pair of my development servers yesterday for testing, and when I tried to update a third this morning, update 17 is no longer showing as available? Looking at the XML file available at the default update URL, it appears that neither of these updates (CF10u17, CF11u6) are listed.
  29. Adam Cameron
    Ron, I can see CF10u17, and am downloading it now... installing... yeah, it ran fine: 10,0,17,295085
  30. Ron Stewart
    @Adam: Thanks. Must be something weird on my end...
  31. David Epler
    These are not the Adobe instructions, but this is how I manually patched ColdFusion 9.0.1 servers I have to deal with.

    http://www.dcepler.net/post.cfm/manually-patching-coldfusion-9-with-apsb15-21-cve-2015-3269
  32. piyush
    Snake,
    I apologize for indicating that the CF9 instructions can be made available by email. We cannot share security related fixes for versions that are out of support. You can reach out to the customer support for any guidance or clarifications.

    Matthew,
    you apparently have a custom patch for that bug. I'll check on if you need to reapply it, post update 6, and get back.

    Peter,
    I can see that you've already commented on the fix for 3776450 possibly causing 3956389, in the bug tracker. Thanks for that. I'm sure we'll check out that angle when we work on fixing it.
  33. Piyush
    Matthew,
    When you apply an update, all the content of <cf_root>\cfusion\lib\updates is moved to a back up location at <cf_root>\cfusion\hf-updates, before the new update jar is placed there.
    So you'll need to recopy your custom patch to former directory.
  34. Matthew C. Parks
    @Piyush

    I have re-applied jar received from Bug 3971083 and issue is side stepped again with that in <cf_root>\cfusion\lib\updates again.

    Just disappointed it was not packages with update 6 since it was address shortly after update 5 was released.

    When a BUG, is marked fixed when would one expect the fixed code to make it to an update release?
  35. Peter Boughton
    Matthew, update 6 was a security patch. Having unrelated changes alongside a security patch is a bad thing - putting aside the cumulative nature of u6, Adobe did the right thing in not including other changes.
  36. Mike
    [sub]
  37. Nando
    [subscribe]
  38. Aaron Neff
    Update 5 broke PDFg. See https://bugbase.adobe.com/index.cfm?event=bug&id=4031773

    <cfhtmltopdf source="http://www.google.com"; /> throws "No Service manager is available."

    No worries b/c existing <cfdocumentitem type="header|footer"> code can't be upgraded to <cfhtmltopdfitem type="header|footer"> anyways until these are fixed:
    - 3931678
    - 3931673

    Please finish the work on PDFg.

    Thanks!,
    -Aaron
  39. Aaron Neff
    A security hotfix for BlazeDS shouldn't break PDFg.

    Going forward, updates should be module-specific.

    Thanks!,
    -Aaron
  40. Chris
    PDFg service is working fine for me in production with JVM 1.8.0_45 and CF11 update 5. Just patched to update 6 on my dev server and after a few tests things seemed okay but didn't try PDFg. Decided to update to JVM 1.8.0_60 and found that PDFg no longer worked (Add-On service would not start). Just rolled back to JVM 1.8.0_45 and PDFg is working fine again under CF11 update 6. This is with Server 2012R2.
  41. Charlie Arehart
    Chris, I suspect that what's happened to you is what is described here:

    http://www.webtrenches.com/post.cfm/a-java-jvm-update-adventure-coldfusion-won-t-start

    It's a combination of things: if your update to JAva also detected an "insecure" version and removed it, it could have removed the JVM built inside CF.

    I suspect you changed CF to use that new JVM, but the underlying PDFG/Add-on service is hardcoded to point to the JVM inside CF, so if you (or anyone) caused that to be deleted, then there is now no JVM for it to find.

    The good news is you can just point the PDFG/Add-on service to the new JVM also. That blog post (Among others) explains how to do that, editing its jetty.lax file to point its lax.nl.current.vm file at the java.exe in the new jvm.

    Let us know if that's the solution, and if so, I hope it may help others reading this. (As you can see, it's not really about update 6. Just coincidental that you made the two changes about the same time. The real problem is just about the JVM and the jetty.lax.)

    Hope that helps.
  42. Chris
    Thanks Charlie, yes, you're correct. The PDFg add-on was pointing to the non-existent 1.8.0_45 JVM after upgrading to _60. Thank you for the tip on the jetty.lax I now remember editing that so it would use _45 quite a few months ago. Just repointed CF app and the AddOn service/PDFg to _60 and all is well.
  43. Charlie Arehart
    Very good. And yep, that's another thing folks can now watch out for. :-)
  44. trufer
    I appreciate that Adobe "EAST" keeps patching bugs that they caused by their previous patch. Totally worth the $8500 I was about to send to the DR Congo prince.
  45. Charlie Arehart
    trufer, the update referred to in this blog post (the latest, at this writing) is not a "bug caused by a previous patch". It was a fix to a vulnerability in blaze/lcds.

    And FWIW, that is quite old functionality that I don't think has been updated/patched for quite some time, neither by the recent Adobe CF team nor even the "good ol' 'merican" team, if we're going to be jingoistic about it. (I would not, myself.)
  46. Chris
    Hi, We have installed Update6 on several Win2012 R2 64-bit servers, but one just failed with command-line errors:
    "failed to add duplicate collection element "/jakarta"
    "failed to add duplicate collection element "/CFIDE"

    CF did not appear to be starting, and When browsing, we got this error:
    HTTP Error 500.0 - Internal Server Error. Calling GetFilterVersion on ISAPI filter "F:\CF11\config\wsconfig\1\isapi_redirect.dll" failed.

    Rebuilding the Connector did not help. The old Connectors had to be manually removed.

    Uninstalling Update6 required the manual removal, but CF is still not starting. We get the same HTTP Error 500.0, when browsing either .htm or .cfm files.

    Any ideas? (we've opened an Adobe support case).

    thank you
  47. Adobe
    Thanks for notifying me a new update of adobe . Thanks.
  48. Chris
    Follow-up to my post of Sep 21, 2015 at 9:10 AM:

    We followed the uninstall instructions for Update6, but it did not fully uninstall and CF would not start.

    We then followed the manual uninstall instructions for Update6, but CF would not start.

    We then replaced the entire installation directory tree with a backup we took before installing Update6, and CF now starts, and correctly shows Update5 as the latest build version.

    We have installed Update6 three times before, all successfully, and confirmed the MD5 signature, so it should not be corrupted.

    regards,
    Chris
  49. Chris
    We tried the installation again, and it worked with no errors. No idea what was different between the bad and the good installations.

    Just be sure to back up all your CF files before you install the Update!

    Regards,
    Chris
  50. Scott Stroz
    Seems the BlazeDS 'update' made it more secure by completely borking the functionality. I have a client app that relies heavily on Blaze and when update 18 was applied, the messaging simply stopped working.

    I am not sure where the problem is..still trying to figure that one out.

Leave a Comment

Leave this field empty: