ColdFusion (2021 release) Update 20
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2021 release) updates.
What's new and changed
ColdFusion (2021 release) Update 20 (release date, May 13, 2025) resolves critical and important vulnerabilities that could lead to arbitrary file system reads, arbitrary code execution, privilege escalation, and security feature bypass. It also addresses the PDFg service-related issues from the previous ColdFusion updates.
View the security bulletin, APSB25-52, for more information.
With this update, the serialfilter.txt file present in cfusion/lib will be replaced. So if you already have custom entries added to the file, copy the custom entries from the backup file (cfusion/hf-updates/{version}/backup/lib).
Remote method changes
If a remote method expects certain parameters, those arguments must be explicitly declared using the cfargument tag or defined directly in the function signature. For example, if a remote function is defined to accept two arguments, it must only receive those two. Passing more than the declared number (for example, 10) will result in an error. This change ensures stricter method integrity and a better debugging experience. This behavior change applies only to remote CFC methods.
New JVM flagS in this update
- -Dcoldfusion.runtime.remotemethod.matchArguments
- -Dcoldfusion.systemprobe.allowexecution
View JVM arguments in ColdFusion (2023 release) and ColdFusion (2021 release) for more information on the flags.
New Admin API
The function canSystemProbeExecuteFile is introduced as part of the scheduler component (CFIDE.adminapi.scheduler). This function checks if ColdFusion allows executing system probes.
<cfscript>
obj = createObject("component","cfide.adminapi.scheduler")
writeOutput(#obj.canSystemProbeExecuteFile#)
</cfscript>
The path provided for executing the program will be validated for alphanumeric, slashes, hyphen, underscore, colon, space and .
Pathfilter changes
The previous update introduced pathfilter.txt inside cfusion/lib folder for bytecode execution prevention. In this update, instead of pathfilter.txt, ColdFusion will introduce pathfilter.json. Note that pathfilter.txt will still be available, although ColdFusion will use the json file, not the txt file. The keys in the file represent features like scheduler, bytecode, and so on.
{
"comments": "paths should be semi-colon separated.
To allow a file: {path-of-file};
To Allow a directory & files in it: {path-to-directory}/*;
To Allow a directory & sub-directories: {path-to-directory}/**;
To Block a file: !{path-of-file};
To Block a directory & sub-directories: !{path-to-directory}/**;
Precedence decreases from left to right. Suppose directory A has directory B & C inside it.
To Allow B & Block C: !A/C/*;A/**;",
"bytecodeexecutionpaths": "",
"schedulerexecutionpaths": ""
}
If scheduled tasks have the Publish > Save output to a file option enabled in ColdFusion Administrator with a specified file path, the task will no longer function unless that path is explicitly allowed in the schedulerexecutionpaths section of pathfilter.json file located in <cf_home>/lib.
After you've made the changes, restart ColdFusion.
Update to the latest MySQL connector
For security reasons, we highly recommend using the latest MySQL Java connector (version 8.0.15 or later). Earlier versions contain known security vulnerabilities that could put your environment at risk.
For more information on installing the connector, see Configuring the MySQL JDBC driver (MySQL Connector).
Bugs fixed in the update
- When Update 14 is applied to a cluster configuration, the ext folder located at ColdFusion2021\cfusion\jetty\lib is removed and moved to the backup directory. As a result, search collections become inaccessible, and an error message appears.
- Executing the command docker run --rm -it -v ./mywebroot:/app -e acceptEULA=YES adobecoldfusion/coldfusion:latest cli t.cfm on a Docker image causes a Null pointer exception.
- When ColdFusion is installed and multiple instances are created, applying the hotfix by selecting all instances at once completes successfully. However, the hotfix does not deploy certain required files, specifically, the jetty-ipaccess.xml file, into the cfusion/jetty/etc directory as expected. This file was introduced in updates 19 (CF 2021), 13 (CF 2023), and 1 (CF 2025), but was missing in this case.
- An error occurs when registering or unregistering the PDF Service Manager after installing the previous updates. After applying the update and restarting both the ColdFusion and Add-on services, editing the PDFg service in the Administrator causes the PDF engine 1 to behave unexpectedly.
- As part of the PDF-related fixes, specific files under <Jetty-home>/webapps/WEB-INF/classes were supposed to be updated by the hotfix. However, these files were not replaced as expected, which leads to the PDF service being removed when edited via ColdFusion Administrator.
Known issues in the update
- The CAR build fails if the packages folder is not present. As a workaround, create a folder called packages in <cfhome>/cfusion/, if the folder is not already created.
- On non-Windows systems, editing the local PDF service via Administrator > PDF Service results in the service being removed. The IP address 127.0.0.1 is not included in the allowed list within the jetty/etc/jetty-ipaccess.xml file. As a result, the system blocks the local PDF service connection, leading to its deletion when edited. As a workaround, manually whitelist 127.0.0.1 in the jetty-ipaccess.xml file. This will allow the PDF service to function correctly when edited from the ColdFusion Administrator.
- Uninstalling ColdFusion 2021 Update 19 may remove the xalan.jar file from C:\ColdFusion2021\cfusion\lib, even though it was not added during the installation of Update 19. As a workaround, manually copy the xalan.jar file from a server running Update 18 to the affected server’s C:\ColdFusion2021\cfusion\lib directory.
ColdFusion JDK flag requirements
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
Installation
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated with the latest update.
All installed packages that needs an update get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer from the link.
- Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-020-330407.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-020-330407.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account with permission to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
If you are on Java 11.0.20 or higher and want to apply the Hotfix, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.
However, if you are applying the update from the Administrator, you do not require any flag.
Post installation
After applying this update, the ColdFusion build number should be 2021.0.20.330407
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00020-330407/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00020-330407}/backup directory to {cf_install_home}/{instance_name}/
Connector configuration
| 2021 Update | Connector recreation required |
| Update 20 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 19 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 18 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 17 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 16 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 15 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 14 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 13 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 12 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
| Update 11 | Yes |
| Update 10 | No |
| Update 9 | No |
| Update 8 | No |
| Update 7 | No |
| Update 6 | No |
| Update 5 | No |
| Update 4 | No |
| Update 3 | No. You need not upgrade the connector if you have already upgraded the connector in Update 2. |
| Update 2 | Yes |
| Update 1 | Yes |
Packages updated
| Update | Packages updated |
| Update 20 | Yes The following packages are updated:
|
| Update 19 | Yes The following packages are updated:
|
| Update 18 | Yes The pmtagent package is updated. |
| Update 17 | Yes |
| Update 16 | No |
| Update 15 | No |
| Update 14 | Yes |
| Update 13 | Yes |
| Update 12 | No |
| Update 11 | Yes |
| Update 10 | No |
| Update 9 | No |
| Update 8 | No |
| Update 7 | No |
| Update 6 | Yes |
| Update 5 | Yes |
| Update 4 | Yes |
| Update 3 | Yes |
| Update 2 | Yes |
| Update 1 | Yes |
