ANNOUNCEMENT: CF2021 & CF2018 Security Updates https://community.adobe.com/t5/coldfusion-discussions/released-coldfusion-2021-and-2018-march-2023-security-updates/td-p/13649873

Good to see cfclient getting a mention in there.

CFclienting it up in here

pina coladas in one thread, cfclient in this thread. If this doesn't say party, I don't know what does.

@Mark Takata (Adobe) do you know if its possible to avoid having to apply this update if we simply add -Dcoldfusion.cfclient.enable=false to the jvm config ?

Gareth, I am unable to comment directly on this (security stuff, etc), but please email cfsup@adobe.com with this question and they will direct you to someone who can hopefully help you with your direct inquiry. Also, while he does not represent Adobe, I would also suggest you note Charlie's comment here: https://coldfusion.adobe.com/2023/03/released-coldfusion-2021-and-2018-march-2023-security-updates/ (scroll to the comments).

Does the CF2021u6 update work? Has anyone installed it without complications? I'm asking because I haven't yet and the only comment (beyond Charlie's) is that someone was surprised by a new requirement to install the administrator package via the CLI package manager (from 15 minutes ago).

@Mark Takata (Adobe) a call from our enterprise account manager might be nice…

@Gareth Unfortunately, we cannot share what has changed as it is a security update. You have to apply the update along with jvm flags, we cannot skip that.

do the steps/settings in the lockdown guide disallow the related attacks from being successful?