Careful applying CF11u16, CF2016u8, CF2018u2
Update: Adobe has released CF11 Update 17 and ColdFusion 2016 Update 9 to address problems outlined in this blog entry.
Adobe released new security updates and bug fixes for ColdFusion 11, 2016 and 2018 this week. Normally these things go pretty smooth and any issue introduced by an update is typically minimal, but I can't say that has been the case for this update.
You definitely want to test before applying this update.
Here are the issues I have been tracking:
- Scheduled Tasks Deleted after applying update. Bug CF-4204021, Forums Discussion
- queryExecute Bug - throws exception result of queryExecute is assigned in certain ways. Bug: CF-4204019
- Error in Apache Connector after applying CF2018 update 2. Forum Discussion
- Error manually running hotfix installer when not in Administrator group. CF-4204025 Blog Comment
- ODBC Service fails to start after applying update (this also happened on CF11 update 15 I think). Blog Comment Forum Discussion
- The PDFg service behaves unexpectedly in add-on services for ColdFusion 11 and ColdFusion (2016 release). This is listed as a Known Issue for CF11 update 16 and includes a fix.
- CFPDF Randomly errors with
Opetation could not be completed. Cause: An error occurred while reading source for the cfpdf tag.after installing CF11 update 16. The fix above did not fix this issue. A HackMyCF customer reported this to me, I don't have further info on this one yet.
- Incompatible with Fusion Debug. Reported on Facebook Update: It turns out this may be an issue on all CF2018 versions.
- Query Variable is undefined after running query on CF11 update 16 with an Oracle DB. Forum Post
Incompatible object argument for function call. I don't have a bug number, but apparently Adobe has a fix for this.
- ColdFusion 2016 Update 8 breaks ColdFusion.Ajax.submitForm in IE 11. Bug: CF-4204031
- Mangled characters in CFMail From name. Bug: CF-4204050
- CFquery issue with queries using the cachedWithin attribute in a sandboxed environment. Forum post
- SSL encrypted datasources using a wildcard certificate to MS SQL Server (Connection String = EncryptionMethod=SSL; CryptoProtocolVersion=TLSv1.2; ValidateServerCertificate=0;). The HotFixes include an updated macromedia_drivers.jar file, which causes the issue. (workaround is to copy the backed-up original macromedia_drivers.jar file from the hf-updates directory back into cfusion/lib). Thanks Ben, see comments.
I will update this list if any other issues are found in ColdFusion 2018 Update 2, ColdFusion 2016 Update 8 or ColdFusion 11 Update 16.
Like this? Follow me ↯Tweet Follow @pfreitag
Careful applying CF11u16, CF2016u8, CF2018u2 was first published on February 14, 2019.
If you like reading about adobe, or hotfix then you might also like:
- HackMyCF Updated for APSB11-29 Security Hotfix
- Recent ColdFusion Security Hotfix Updated Today
- Path Traversal Vulnerability Security Hotfix for ColdFusion Released
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.
The weekly newsletter for the CFML Community
There is also an issue in these updates (CF11 U16/17/18 and CF2016 U8/9/10) with SSL encrypted datasources using a wildcard certificate to MS SQL Server (Connection String = EncryptionMethod=SSL; CryptoProtocolVersion=TLSv1.2; ValidateServerCertificate=0;).
The HotFixes include an updated macromedia_drivers.jar file, which causes the issue. The Adobe team are aware and investigating. The official workaround is to copy the backed-up original macromedia_drivers.jar file from the hfudpates directory back into cfusion/lib.
You may want to add this to your list.
I couldn't use the hostNameInCertificate parameter as suggested above. This is because Azure SQL uses a CNAME and then multiple redirects before landing on one of their clustered machines. I had to set hostNameInCertificate to the actual endpoint to get it working. However, that endpoint could change from time to time depending on which back-end server in the cluster we get routed to. Specifying one of the those endpoints in that parameter would amount to a single point of failure on an otherwise redundant setup.
This is incredibly frustrating. Do we have any idea what the critical security issue was, and if there is any workaround for it? i.e. the one last year was to remove the FCKeditor or whatever it was called.
Do we have a simple band-aid fix for the new security issues that we can put on until this patch is reliable?
It appears to be connector related?