Security Updates for ColdFusion 2016 and ColdFusion 11 released

This article announces the release of ColdFusion 2016 Update 6 and ColdFusion 11 Update 14.

These updates –

  • address security vulnerabilities mentioned in the security bulletin APSB18-14,
  • upgrade the Tomcat engines & OpenSSL jars, and
  • contain few other bug fixes.

ColdFusion 2016 Update 6

ColdFusion 2016 Update 6 addresses the vulnerabilities mentioned in the security bulletin APSB18-14.
It also includes a Tomcat version upgrade to 8.5.28, OpenSSL upgrade to 1.0.2n and bug fixes in few other areas.
For the security fixes to take effect, ColdFusion should be on JDK 1.8.0_121 or higher. Post update the build number of ColdFusion 2016 should be 2016.0.06.308055.

For detailed installation instructions and the list of bugs fixed with this update, refer this technote.

ColdFusion 11 Update 14

ColdFusion 11 Update 14 addresses the vulnerabilities mentioned in the security bulletin APSB18-14.
It also includes a Tomcat version upgrade to 7.0.85, OpenSSL upgrade to 1.0.2n and fixes in few other areas.
For the security fixes to take effect, ColdFusion should be on JDK 1.7.0_131 or JDK 1.8.0_121 or higher. Post update the build number of ColdFusion 11 should be 11,0,14,307976.

For detailed installation instructions and the list of bugs fixed with this update, refer this technote.

9 thoughts on “Security Updates for ColdFusion 2016 and ColdFusion 11 released

  1. Great to see these updates, guys (it’s been a while, since the last in Nov).

    That said, while this blog post says that there was an update to Tomcat (also great to finally see) and openssl, that fact is NOT (currently) indicated in the technote page for this update nor the section of the release notes. Both have indicated that in the past, such as the last time there was a Tomcat update (see https://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-4.html and https://helpx.adobe.com/coldfusion/release-note/coldfusion-2016-updates-release-notes.html?#WhatsnewandchangedinColdFusion2016releaseUpdate4, and the same for CF11 update 12).

    FWIW, I see that the little bit of text about the update in the CF Amin does ALSO mention that Tomcat will be updated, and again that’s great.

    But some people do rely on the technotes and/or release notes to clarify such things, especially when looking into such things in the future. Hope you can fix that before it gets forgotten about (and that you will confirm here if/when you do). Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *