portal entry

select a category, or use search below
(searches all categories and all time range)
Title:

ColdFusion (2018 release) Update 7 released

| View in Portal
December 10, 2019 10:27:53 AM GMT
8 Comments
<p>We are pleased to announce that we have released Update 7 of the 2018 release of ColdFusion. ColdFusion (2018 release) Update 7 addresses vulnerabilities that are mentioned in the security bulletin, APSB19-58. The update includes a fix for the ColdFusion Administrator UI. The vulnerability affects Windows platform only. Users on non-Windows platform need not apply this update. For more information, see the tech note. Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. […]</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2019/12/coldfusion-2018-release-update-7-released/">ColdFusion (2018 release) Update 7 released</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: Blog, CF2018 Updates, Updates, cf2018 updates, coldfusion 2018 update 7, coldfusion administrator fix, coldfusion security update, updates

Comments:

Thaank, Saurav. A couple of things are unclear: <ul> <li>You have wording here saying this update is only for windows users. Is that about the admin scroll bar problem?</li> <li>What about the cve (security issue)? Is that also windows only?</li> <li>Finally, we couldn't answer that on our own because when we look at the security technote it merely mentions being about a Cve-2019-8256. But when I google that, I find no results that explain what that is. It seems this cve number has been "reserved", but there's no info in normal cve sites about what the issue is. (Be careful trying that search yourself, readers. You may see a result that IS about Windows, but look closely and you'll see that's a 2018 cve, not 2019.)</li> </ul> Again, I'm trying mainly to understand if this update is really only for windows, and if it's only for the scroll bar issue, or is the cve about some other security issue (and is that windows only also)?
Comment by Charlie Arehart
3570 | December 10, 2019 12:43:35 PM GMT
Hi Saurav, also noticed a couple of notes on the bulletin: "Customers who have followed the lockdown procedures during installation are not impacted by this issue. " Is this referring to manual and/or auto lock down? If so the the issue only affects windows users that have not run through one of the lock downs? I also noticed a JDK requirement - is this new and required for all cf2018 instances?
Comment by DougCain
3573 | December 10, 2019 01:20:21 PM GMT
Charlie, The update primarily fixes a security issue, that affects only a windows based CF installation. It also contains a fix for the scrollbar issue (that is not platform dependent, of course). You can choose to ignore this update if you're not on Windows. You can always get the fix for the scrollbar with the next update. For the folks, following along, the updates page in the CF admin UI had an issue where-in the download and install button were not visible in some cases, if the update description was voluminous, as the scroll bar did not render. It only affects you when you are downloading the update.  
Comment by PiyushN
3572 | December 10, 2019 02:06:14 PM GMT
Its referring to auto lockdown. For JDK, we recommend that you are on the latest update.
Comment by SauravGhosh
3571 | December 10, 2019 02:17:21 PM GMT
I was referring to the "On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used." It lists tomcat but it's unclear if this applies to the default deployment of ColdFusion or a war file deployment on one of the separate application servers.
Comment by DougCain
3574 | December 10, 2019 02:32:16 PM GMT
Thanks for the clarifications, Piyush. For any readers who may be interest or want another take on "just who needs the update", I just did a blog post on it: <span data-offset-key="66ugn-0-0"><a href="https://www.carehart.org/blog/client/index.cfm/2019/12/10/CF2018_update_7_do_you_need_it/" rel="nofollow">ColdFusion 2018 update 7 released today...do you 'need' it?.</a></span>
Comment by Charlie Arehart
3575 | December 10, 2019 08:52:33 PM GMT
Doug, as for that jvm flag, if you read to the end of that section in the <a href="https://helpx.adobe.com/security/products/coldfusion/apsb19-58.html" rel="nofollow">security bulletin</a> , you'll see it attempts to clarify things, saying "Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation." Those last two words are meant to tell you that yes, the need to set the flags listed there applies only to deployment of CF as a war/ear file, on one of those "separate application servers" as you put it. I appreciate that the phrase "standalone installation" is not as clear as was felt by the Adobe writer of the first sec bulletin that said this, and all those since, which have followed that model. Saurav, it really would be VERY helpful if you guys would change this to be more clear, better clarifying (at the TOP of that section on the flags in that sec bulletin) how it applies ONLY to ear/war deployments and not how most CF installs are done. The first example's mention of Tomcat (in that bulletin) only adds to confusion, since people know that "CF runs on Tomcat" (even in standalone mode). Better still, please ensure that change is carried forward to future security bulletins (and it would be nice if it was changed in the past few, for good measure). Finally, Doug, you say here that your question on the jvm flag is what you were "referring to" above. I don't see that. Your previous comment was about JDK *versions* (and also the question of the lockdown tool.) Just felt that should be said, for the sake of consistency. As always, just trying to help (all readers).
Comment by Charlie Arehart
3576 | December 12, 2019 03:33:38 PM GMT
At the top of the day, getting a real <a href="https://notresponding.us/windows-7-serial-key/" rel="nofollow">Windows 7 Product Key</a> from Microsoft corp is often the simplest because you're sure of the OS that you just system is running on and you'll be assured that you are fully covered. However, if you're unable to induce that, the keys above or perhaps the sites provided would be able to facilitate your through. More so, if you've got lost your product key, you'll, also, use the programs recommended to get your key back.
4655 | February 18, 2020 05:36:36 AM GMT