This article announces the release of updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB16-22.

ColdFusion 2016 Update 2

ColdFusion 2016 Update 2 fixes an important security issue. It also includes some other important fixes related to Language, Security Analyzer, AJAX, document management, SharePoint, CLI, API Manager and a few other areas.

For details, refer this technote.

ColdFusion Builder 2016 Update 2

ColdFusion Builder 2016 Update 2 (standalone) has been upgraded from Kepler to Mars. It includes important updates to Security Analyzer, a few bug fixes related to performance and other bug fixes. PhoneGap has been upgraded to 5.2.

For details, refer this technote.

ColdFusion 11 Update 9

ColdFusion 11 Update 9 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes.

For details, refer this technote.

ColdFusion 10 Update 20

ColdFusion 10 Update 20 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes

For details, refer this technote.


23 Comments to “Updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10 released”

  1. Matthew
  2. Phil
    For ColdFusion 11 Update 9, the technote says "Refer the important notes section to see if the connector needs to be reconfigured after applying this update" but there is not "important notes section".

    Does the connector need to be reconfigured?
  3. Vamsee
    @Phil - The Connecotor need not be reconfigured as there are no connector-specific changes. We will get the tech note discrepancy addressed.
  4. up2date
    Links for APSB16-22 under "ColdFusion 10 Update 20" and "ColdFusion 11 Update 9" refers to APSB16-16...
  5. HariKrishna Kallae
    @up2date - Thanks for pointing it out. Updated the links
  6. Michael Mongeau
    When I log into my CF11 Administrator and go to Server Update / Updates I get an exception.

    The selected type [CFContainerID] was not set via the ESAPI validation configuration

    at cfindex2ecfm479980389._factor0(/CFIDE/administrator/updates/index.cfm:170) at cfindex2ecfm479980389._factor6(/CFIDE/administrator/updates/index.cfm:164) at cfindex2ecfm479980389._factor8(/CFIDE/administrator/updates/index.cfm:52) at cfindex2ecfm479980389._factor9(/CFIDE/administrator/updates/index.cfm:51) at cfindex2ecfm479980389.runPage(/CFIDE/administrator/updates/index.cfm:1)
  7. Michael Mongeau
    Follow-up - restarting the CF Application Service eliminated the exception. Not sure why, but the updater is working now.
  8. Charlie Arehart
  9. Motch Julien

    If you click on the bug Id, it seems to be related to CF11 and not CF10
  10. Vamsee
    @Motch - The bug was fixed for 2016 release and the fix was backported to versions 10.0 and 11.0 too.
  11. Mike Greider
  12. Joe Rybacek
    It looks like parts of this patch are hard coded to assume ColdFusion 11 is installed in the C:\ColdFusion11 on a Windows machine. The variables in .profile seem to be ignored.
  13. Charlie Arehart
    Hey Joe, since this is a post about updaters for all 3 editions, can you clarify: are you saying you're running the updater for CF2016? And are you running it via the CF Admin, or a command-line install? If the latter, did you download the update jar file, and if so, are you positive you pulled down the CF2016 jar file? Of course, the name will indicate it (but it could still happen).

    Assuming you've done all correctly, what leads you to think that vars in .profile are being ignored? (The .profile file is a *nix feature, for Windows users following along.)

    Are you seeing an error in the install log for the CF update? Or did something fail?

    Just trying to help get you to resolution.
  14. Leith
    After updating from CF11 HF7 to CF11 HF9 some of our Access scripts that run as CF Scheduled Tasks started failing. For some reason it is looking for a mdb file that is neither the one specific by the datasource or in a location we defined.

    Error Executing Database Query. [Macromedia][SequeLink JDBC Driver][ODBC Socket][Microsoft][ODBC Microsoft Access Driver] Could not find file 'C:\ColdFusion11\cfusion\db\slserver54\logging\dbo.mdb'.
  15. Joe Rybacek
    I did not give enough information in my last post. I am using ColdFusion 11. Running the hotfix from the command line as Administrator produces this issue:

    Error: Could not find or load main class [Drive Letter]:\ColdFusion11\cfusion\hf-updates\hotfix_009.jar

    The command I ran was:

    [Drive Letter]:\ColdFusion11\jre\bin\java.exe -jar [Drive Letter]:\ColdFusion11\cfusion\hf-updates\hotfix_009.jar -i silent -f [Drive Letter]:\ColdFusion11\cfusion\hf-updates\[Server Name].profile

    I started a forum discussion here:
  16. Joe Rybacek
    I resolved my issue, the .profile file was corrupted. The discussion thread has been updated as well.
  17. charlie arehart
    Joe, thanks for the update.

    BTW, I see now that when you'd been referring to a ".profile" file, you were referring to what's otherwise called the ".properties" file, in the hf-updates folder.

    Your forum thread showed details that would normally be found in a file that (for everyone else) would be named something like I suppose it also lets you call it whatever you want, and fair enough.

    I'm just clarifying why I thought (in my first comment above) that you were perhaps referring to a different .profile file, as one is used for other reasons in *nix.

    Anyway, glad your problem is resolved.
  18. Chewy
    After the admin console install of cf11 hf9 i restarted and all i get are 500 errors on all cf aites.
    I removed the connectors and added them back but still just getting 500 errors.

    The iis logs just say isapi error. Cf log just says null pointer exception.

    Where else can i look?

  19. HariKrishna Kallae
    Can you run cfinfo -version to check, if the update is applied properly and let us know what is the result of it?

    Is it only admin not being served or none of the cfm pages are getting served?

    Can you zip your cfusion/logs and connector logs folders and send it across to hkallaeATadobeDOTcom.

  20. Matthew Reid
    Since upgrading from CF 11 U7 to U9, my Access Databases occasionally peg the CPU to 50% and lock some users out. Indeed, the CF Administrator also cannot validate the connection to one of my two Databases.

    Since swagent.exe was last modified on the date I installed the update, I am worried that something in the update is causing my trouble. Any thoughts?
  21. Chewy
    Hi Guys, for what every reason I never got an email notification that a reply to this post.. anyway, I punted and just did a fresh install. What a pain.. biggest issue was the backup neoxx.xml files were not readable by the new install. Not sure why but after putting them in place and restarting the service, nothing would run http 500 for everything.

    SO I manually rebuilt the config..
    So far so good until today when I noticed that all of my scheduled tasks are running but not firing. What I mean is that I have a task that sends an email, it is not firing but the task is running successfully. The log files produces this:

    "Error","DefaultQuartzScheduler_Worker-1","07/04/16","07:16:57",,"An error occurred while trying to encrypt or decrypt your input string: Given final block not properly padded. "
    44473 coldfusion.runtime.Encryptor$InvalidParamsForEncryptionException: An error occurred while trying to encrypt or decrypt your input string: Given final block not properly padded.
    44474 at coldfusion.runtime.Encryptor.processCipherWork(
    44475 at coldfusion.runtime.Encryptor.decrypt(
    44476 at coldfusion.runtime.Encryptor.decrypt(
    44477 at coldfusion.runtime.Encryptor.decrypt(
    44478 at coldfusion.util.PasswordUtils.decryptWithAES_CBC_PKCS5(
    44479 at coldfusion.util.PasswordUtils.decryptPassword(
    44480 at coldfusion.scheduling.ScheduleTagData.getHttpTag(
    44481 at coldfusion.scheduling.CronTask.execute(
    44482 at

    Not sure whats going on now. Can anyone point me in the right direction?
  22. Chewy
    by the way my scheduled tasks have no password. I was thinking that i could go into each one and set the password to some value and maybe that would stop the error i posted above, but nope same error.
    Crazy thing is the CFAdmin task runner says it succeeded. but the code is never executed.

    Anyway, if anyone can think of something i can try i would really appreciate it.

    Some background:
    Server: windows 2012 64b, 16gb ram. CF11 64b latest download and installed HF9.
    I can post the jvm if needed or post full error logs if needed.

  23. Alex S

Leave a Comment

Leave this field empty: