portal entry

select a category, or use search below
(searches all categories and all time range)
Title:

ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18 released

| View in Portal
March 01, 2019 05:58:52 PM GMT
17 Comments 
<p>We are pleased to announce that we have released the updates for the following ColdFusion versions: ColdFusion (2018 release) Update 3 ColdFusion (2016 release) Update 10 ColdFusion 11 Update 18 The following are links to the tech notes for each update: ColdFusion (2018 release) Update 3 ColdFusion (2016 release) Update 10 ColdFusion 11 Update 18 The releases address security vulnerabilities, which are documented in the bulletin APSB19-14. In these updates, we have also introduced the following: A new application setting blockedExtForFileUpload to specify […]</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2019/03/coldfusion-2018-release-update-3-coldfusion-2016-release-update-10-coldfusion-11-update-18-released/">ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18 released</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, coldfusion 11 update 18, ColdFusion 11 updates, coldfusion 2016 update 10, ColdFusion 2016 updates, coldfusion 2018 update 3, ColdFusion 2018 updates, ColdFusion security updates

Comments:

The technote links for CF2016 and CF11 are pointing to the previous updates (9 and 17 respectively).
Comment by Carl Von Stetten
1819 | March 01, 2019 06:34:23 PM GMT
Thanks for reporting that, Carl. The technote for CF2016 is fixed. Looks like CF11 technote was correct.
Comment by PiyushN
1820 | March 01, 2019 07:17:42 PM GMT
This CFMail bug was added in CF2016 U8/9, reported and immediately flagged to be fixed in update 10.    <a href="https://tracker.adobe.com/#/view/CF-4204050" rel="nofollow">https://tracker.adobe.com/#/view/CF-4204050</a>    I just tested after upgrading to 2016.0.10.314028 and verified that it is NOT fixed.  
Comment by James Moberg
1821 | March 01, 2019 10:37:31 PM GMT
According to this post, this update appears to be an urgent patch for ColdFusion 11, 2016 & 2018.<a href="https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/" rel="nofollow">https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/</a>How come this isn’t stated in this blog post?  It starts out with “we are pleased to announce”, but fails to mention that it fixes a critical vulnerability and that existing exploits are already being used.
Comment by James Moberg
1822 | March 01, 2019 11:02:36 PM GMT
A blacklist for file extensions is better than nothing and is appreciated. Please add an option that lets us specify a whitelist for file extensions.
Comment by Vincent Krist
1823 | March 01, 2019 11:29:11 PM GMT
James, This was an unplanned time-critical update intended exclusively to address a critical vulnerability that was brought to our attention. That and other bugs with the same release timeline will be re-targeted for the next update.
Comment by PiyushN
1824 | March 02, 2019 07:36:01 AM GMT
Please have a look at my comment concerning "<strong>No EURO symbol (€) in Report Builder generated PDF files in ColdFusion 2016 U-9</strong>" under: <a href="https://coldfusion.adobe.com/2019/02/coldfusion-2016-release-update-9-coldfusion-11-update-17-released/#comment-29703">https://coldfusion.adobe.com/2019/02/coldfusion-2016-release-update-9-coldfusion-11-update-17-released/#comment-29703</a> <strong>Maybe someone has an idea where the error could be?!</strong> We've also raised a bug with more details an files under: <a href="https://tracker.adobe.com/#/view/CF-4204059" rel="nofollow">https://tracker.adobe.com/#/view/CF-4204059</a>
Comment by KnuBew
1829 | March 03, 2019 01:09:37 PM GMT
What file extensions should we setup to block or does the extension default to already block certain extensions.
Comment by cinemaApe
1846 | March 04, 2019 06:07:03 PM GMT
Hello, The checksum is not correct via <a href="https://helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html" rel="nofollow">https://helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html</a> <strong><em>489fdb288d73136b50d5f27993c981fa</em></strong> It's not the same as in <a href="https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml" rel="nofollow">https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml</a> <strong>8270f3d08054e87fb24d4dad7c0cacda</strong> We are talking about a (security) patching, you should really improve your internal check  
Comment by julien m
1853 | March 05, 2019 10:18:55 AM GMT
Thank you <a href="https://coldfusion.adobe.com/profile/motchjulien" target="_blank" rel="noopener">julien m</a> for flagging this. We have fixed the error. Thank you. -Saurav
Comment by SauravGhosh
1854 | March 05, 2019 11:30:06 AM GMT
The list of extensions is offered in both the update technote (for each version) and the admin docs for the new setting, which each technote points to.
Comment by Charlie Arehart
1855 | March 05, 2019 12:22:21 PM GMT
Vincent, you can, in the ACCEPT attribute of cffile. Another benefit of this fix (it seems, though not stated) is that that's now honored even if the associated STRICT attribute is set to (or is left to default to) true. Before the update  strangely, any extensions there were <strong>ignored</strong> if true. That seems confirmed by the new wording added about the strict attribute, though I will raise a concern with them seperately about some info missing in the update of that text. But Saurav, the technote (and blog post) ought to indicate that as another important change/benefit of this update.
Comment by Charlie Arehart
1857 | March 05, 2019 12:43:16 PM GMT
Good point, James. I suspect Saurav simply reused the wording from previous update posts. Indeed, it's been quite a while (Jan 2013, I think) since an update was released that was such an emergency (or what some may call a zero-day) update, which seems pretty impressive as its own point. Still, you make a good suggestion.
Comment by Charlie Arehart
1856 | March 05, 2019 12:49:02 PM GMT
Be aware CF11 hf 16 (up to and including hf 18) break URLEncodedFormat and builtin encoding such as in cfhttpparam, because it refuses to double encode anything. This will likely break things passing a previously encoded value. (I first noticed the problem as an oauth signature calculated over a return URL failed.) I found an existing bug report: https://tracker.adobe.com/#/view/CF-4204045
Comment by NetbasicsNL
1873 | March 06, 2019 07:23:37 PM GMT
<a href="https://coldfusion.adobe.com/profile/SauravGhosh">SauravGhosh</a> – when you guys add security features like this in an update are you also updating the Server Auto-Lockdown installer to include them? (I realize this only applies to ColdFusion 2018)
Comment by Miguel Fernandez
1943 | March 25, 2019 06:18:42 PM GMT
Miguel, I realize you as asking Adobe, but since it's been a day, I'll say that the answer seems "yes and no". First, the tool does offer to update CF to the latest available update, so from that perspective, yes the tool is "updated to include" the new security features. But if you meant, "does the tool implement the new security features even if someone does NOT apply the latest update", then no it does not itself implement the features.
Comment by Charlie Arehart
1944 | March 27, 2019 02:49:16 AM GMT
Thanks for providing this detailed info about ColdFusion, I had no idea about this update, but this post helped me understand this topic. I will definitely share this info with my <a href="https://www.geektech.support/best-buy-geek-squad-tech-support/" rel="nofollow">best buy geek squad tech support</a> team.
Comment by geeksquad943
3539 | November 15, 2019 06:14:07 AM GMT