ColdFusion (2021 release) Update 21
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
In ColdFusion (2021 release) Update 21, Tomcat has been upgraded from version 9.0.72 to 9.0.106. This upgrade includes important bug fixes, performance improvements, and security enhancements from the Tomcat project.
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2021 release) updates.
What's new and changed
ColdFusion (2021) Update 21 includes important security fixes that mitigate vulnerabilities related to arbitrary file reads, code execution, privilege escalation, and security feature bypass.
The update also upgrades the underlying Tomcat engine to version 9.0.106 and resolves several issues reported in earlier updates.
View the security bulletin, APSB25-69, for more information.
If you have added custom entries to the pathfilter.json file for scheduled task output file allowlisting, you must either:
Back up the pathfilter.json file before applying the update, or
Restore it from the update backup after applying the update.
The backup copy of the file can be found at:
hf-updates\hf-2021-00021-330446\backup\lib\pathfilter.json
New JVM flag in this update
- -Dcoldfusion.xmlrpc.allowExternalEntities
View JVM arguments in ColdFusion (2023 release) for more information on the flags.
OEM upgrades
Library | Older version | Updated version |
Tomcat | 9.0.72 | 9.0.106 |
Apache POI | 3.17, 4.1.2 | 5.4.1 |
Apache XMLBeans | 3.1.0 | 5.3.0 |
Apache Commons IO | 2.7 | 2.19.0 |
Apache Commons Compress | 1.19 | 1.26.2 |
Changes to remote methods
The remote method changes done in the previous update are now limited to remote CFC calls only and do not apply to regular (local) method invocations.
Bug fixes in this update
- The lockdown installer used a ColdFusion component (lockdown.cfc) located in the CFIDE/lockdown directory to complete the setup process. Due to security changes introduced in a previous update, the installer worked unexpectedly if remote methods in the component were blocked during execution.
- In the previous update, using returnformat and queryformat in remote methods resulted in errors due to changes requiring all arguments to be explicitly declared.
- The warning message in log file contains a typo. It says "bytecodeexectuionpaths" instead of "bytecodeexecutionpaths".
- On non-Windows systems, editing the local PDF service from the ColdFusion Administrator removes the service because the IP address 127.0.0.1 is not included in the jetty/etc/jetty-ipaccess.xml allowed list. After installing ColdFusion and applying the latest update, navigating to the PDF Service page and modifying the local configuration results in the service being deleted instead of updated. The expected behavior is for the configuration to be saved without removing the service.
- The CAR (ColdFusion Archive) build process fails if the cfusion/packages directory does not exist, as the CAR file must be placed specifically within this folder. Instead of automatically creating the missing directory, the build terminates with an error. The expected behavior is for the process to create the packages folder if it's not already present.
- In some cases, scheduled tasks are deleted if the "Publish to a log file" option is enabled. The issue occurs after creating a scheduled task with logging enabled and applying the latest update. Even after adding the exception and restarting ColdFusion, the deleted task isn't restored.
- In some cases, you are unable to generate an encrypted PDF. An error "NoClassDefFoundError: org.bouncycastle.asn1.DEREncodable" appears in logs and PDF generation aborts with a Java class‐loading error for BouncyCastle.
- After installing and then uninstalling the last update, the cfspreadsheet function no longer works. The C:\ColdFusion2021\cfusion\lib\xalan.jar was removed during the uninstallation process, even though this JAR file was not added or modified as part of the original installation.
- <cfdocument> failed to embed registered fonts in generated PDF files. Even after registering the fonts, the output PDF defaulted to using MS Mincho, which was not embedded. This resulted in missing text, particularly for languages like Japanese on systems such as Linux that do not include the MS Mincho font. With this fix, registered fonts are now properly embedded in the PDF output.
Known issues in the release
- After installing the previous update and loading a page that relies on ORM, an exception appeared. If the same issue appears after installing update 21, then as a workaround, follow the steps:
- Navigate to the <cfusion>/lib directory and open the exportpackages.txt file.
- Remove the entry javax.persistence from the exportpackages.txt file.
- Save the file.
- Stop the server, clear Felix cache, and restart the server.
- If you are on the latest ColdFusion update and:
- You already have multiple instances configured, and
- You attempt to create a new instance
You may encounter issues with the new or existing instances failing to start correctly. As a workaround, delete the htmltopdf.properties (<cf_home>/cfusion/lib) file for each instance, and restart ColdFusion.
ColdFusion JDK flag requirements
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
Installation
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated with the latest update.
All installed packages that needs an update get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer from the link.
- Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-021-330446.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-021-330446.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account with permission to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
If you are on Java 11.0.20 or higher and want to apply the Hotfix, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.
However, if you are applying the update from the Administrator, you do not require any flag.
Post installation
After applying this update, the ColdFusion build number should be 2021.0.21.330446
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00021-330446/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00021-330446}/backup directory to {cf_install_home}/{instance_name}/
Connector configuration
2021 Update | Connector recreation required |
Update 21 | No
However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 20 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 19 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 18 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 17 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 16 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 15 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 14 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 13 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 12 | No However, if upgrading from Update 10 or any previous update, you must recreate the connector. View the following for more information. |
Update 11 | Yes |
Update 10 | No |
Update 9 | No |
Update 8 | No |
Update 7 | No |
Update 6 | No |
Update 5 | No |
Update 4 | No |
Update 3 | No. You need not upgrade the connector if you have already upgraded the connector in Update 2. |
Update 2 | Yes |
Update 1 | Yes |
Packages updated
Update | Packages updated |
Update 21 | Yes The following packages are updated:
|
Update 20 | Yes The following packages are updated:
|
Update 19 | Yes The following packages are updated:
|
Update 18 | Yes The pmtagent package is updated. |
Update 17 | Yes |
Update 16 | No |
Update 15 | No |
Update 14 | Yes |
Update 13 | Yes |
Update 12 | No |
Update 11 | Yes |
Update 10 | No |
Update 9 | No |
Update 8 | No |
Update 7 | No |
Update 6 | Yes |
Update 5 | Yes |
Update 4 | Yes |
Update 3 | Yes |
Update 2 | Yes |
Update 1 | Yes |