ColdFusion (2023 release) Update 8

Security recommendations

For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.  

• ColdFusion 2023 Lockdown Guide
• ColdFusion 2021 Lockdown Guide

ColdFusion (2023 release) Update 8 (release date, June 11, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-41.

These changes address potential vulnerabilities and threats and are part of our ongoing commitment to protecting your data and privacy.

Significant changes in the release

Change in default algorithm

We will change the default encryption algorithm to enhance the security of your data. The update is a result of a recently identified security vulnerability. Read on to learn more about the change.

Summary of the changes

• The default encryption algorithm in ColdFusion changes from CFMX_COMPAT to another algorithm for seven encryption functions. 
• Use the new JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE to make the change, if you need to use CFMX_COMPAT. By default, the value is False.
• The flag - Dcoldfusion.encryption.useCFMX_COMPATAsDefault will be supported in future security updates for the 2023 and 2021 releases of Adobe ColdFusion.
• However, in the next major release of ColdFusion, we WILL remove the flag.

What is changing

The default encryption algorithm in ColdFusion has changed from CFMX_COMPAT to AES/CBC/PKCS5Padding for the following functions:

• Encrypt
• EncryptBinary
• Decrypt
• DecryptBinary

Additionally, the default encryption algorithm of Hash function has changed from CFMX_COMPAT to SHA-256 hashing algorithm.

The default encryption algorithm for the following Rand* functions has changed from CFMX_COMPAT to SHA1PRNG. 

SHA1PRNG is a random number generator

• Rand
• Randomize
• RandRange

Why is this change important

Our top priority is the security of your data. By adopting a more robust encryption algorithm over a less secure CFMX_COMPAT, we aim to provide stronger protection against emerging security threats.

What if I still want to use CFMX_COMPAT

If you still want to use CFMX_COMPAT, use the new JVM argument, -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE. This will ensure that the encryption and rand functions default to CFMX_COMPAT.

Adobe recommends that you change the code to use the new default algorithm and use the flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault temporarily until you make the required changes in the code.

Note that CFMX_COMPAT is still available. However, it is no longer the default algorithm in the encryption functions.

How can I make the changes

To make changes to data that is encrypted and stored using CFMX_COMPAT, follow the steps:

1. Retrieve the passwords.
2. Decrypt using the CFMX_COMPAT algorithm.
3. Encrypt the passwords again with the new algorithm.
4. Store the passwords again.

Create new passwords for users whose passwords are already stored. 

Generate the key

• For the CFMX_COMPAT algorithm, any combination of any number of characters is used as a seed to generate a 32-bit encryption key.
• For all other algorithms, a key in the algorithm's format is used. To generate the key for these algorithms, use the GenerateSecretKey function.

Now, if you'd used CFMX_COMPAT and the key you were using was in a format that won't work for other/new default algorithms, you must create a new key to have it work with the new default algorithm.

How do I know if CFMX_COMPAT algorithm is used in the code

If you haven’t specified any algorithm, check the function, for example, encrypt(myMessage,key), or if you’ve specified CFMX_COMPAT as the default algorithm, the following example function will confirm the same.

encrypt(myMessage,key,'CFMX_COMPAT', 'Base64') 

Does the change in the default algorithm involve any code change

Adobe recommends that you change the code to use the new default algorithm and use the flag -Dcoldfusion.encryption.useCFMX_COMPATAsDefault temporarily until you make the required changes in the code.

Cfdocument access control issues

We've introduced a new JVM flag: Dcfdocument.metahttpequivrefresh.localfile=TRUE. This flag allows you to call the URL or location passed in the HTML meta tag. By default, the value is FALSE.

Any URL passed in the meta tag is, by default, blocked. If you want to use it, use the flag -Dcfdocument.metahttpequivrefresh.localfile=TRUE.

We recommend that the sanity of the URL be done before adding it to the meta tag.

Package updates

The following packages have been updated:

• document
• htmltopdf
• presentation
• pdf
• print
• report
  

Changes to Solr upgrade

If you manually upgraded Solr to version 8.11.2 using the instructions in Upgrade SOLR to mitigate security risks in ColdFusion, then after installing Update 8, SOLR will not downgrade to version 7.9.

Prerequisites

1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
   • http.proxyHost
   • http.proxyPort
   • http.proxyUser
   • http.proxyPassword
3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

ColdFusion JDK flag requirements

COLDFUSION 2023 (version 2023.0.0.330468) and above

For Application Servers

On JEE installations, set the following JVM flag, "-Djdk.serialFilter=!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.

For example:   

• Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   
• WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   
• WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.  

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated the the latest update.

All installed packages also get updated.

Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

1. Download the hotfix installer and repository from the link.
2. Unzip to a place where all ColdFusion server instances can access it.
3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

• Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-008-330668.jar
  
• Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-008-330668.jar

If the core server hotfix installation is successful and if there are errors  or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .

For further details on manually updating the application, see the help article.

Post installation

Uninstallation

To uninstall the update, perform one of the following:

• In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
• Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2023-00008-330668/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2023-00008-330668}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

Package updates