Channels
adobe
advent-of-code
auwcl
aws
books
bot-dev
box-products
cfeclipse
cfkrauts
cflint
cfml-beginners
cfml-general
cfml-tuning
cfsummit2022
cfwheels
ci
community_courses
css
devops-general
docker
docker-commandbox
documentation
events
friday-puzzle
fusion-reactor
fw1
ide
java-and-jvm
javascript
jobs
jobs-non-us
linen-dev
lucee
masacms
meta
migrations
mura
music
nosql
object-oriented
orm
perf-monitor
prog-general
slack-help
sql
taffy
testing
version-control
vuejs
water-cooler
Title
m
Mark Takata (Adobe)
03/14/2023, 3:47 PMANNOUNCEMENT: CF2021 & CF2018 Security Updates
https://community.adobe.com/t5/coldfusion-discussions/released-coldfusion-2021-and-2018-march-2023-security-updates/td-p/13649873
a
Adam Cameron
03/14/2023, 4:06 PMGood to see cfclient getting a mention in there.
m
Mark Takata (Adobe)
03/14/2023, 4:28 PMCFclienting it up in here
🍻 1
a
Adam Cameron
03/14/2023, 5:30 PMpina coladas in one thread, cfclient in this thread. If this doesn't say party, I don't know what does.
👍 1
g
Gareth
03/14/2023, 10:56 PM@Mark Takata (Adobe) do you know if its possible to avoid having to apply this update if we simply add -Dcoldfusion.cfclient.enable=false to the jvm config ?
also, is there more information you can provide on what has changed ? what if we’re intentionally reading files within the system ? are there new sandbox limitations ?
m
Mark Takata (Adobe)
03/14/2023, 11:05 PMGareth, I am unable to comment directly on this (security stuff, etc), but please email cfsup@adobe.com with this question and they will direct you to someone who can hopefully help you with your direct inquiry. Also, while he does not represent Adobe, I would also suggest you note Charlie's comment here: https://coldfusion.adobe.com/2023/03/released-coldfusion-2021-and-2018-march-2023-security-updates/ (scroll to the comments).
@priyank_adobe @sandip_halder is there a more direct email address for folks who have inquires of this type that are security related in this matter?
g
gamesover
03/15/2023, 1:14 AMDoes the CF2021u6 update work? Has anyone installed it without complications?
I'm asking because I haven't yet and the only comment (beyond Charlie's) is that someone was surprised by a new requirement to install the administrator package via the CLI package manager (from 15 minutes ago).
UPDATE: We updated via web portal UI and updates went without incident. (Phew!)
g
Gareth
03/15/2023, 2:03 AM@Mark Takata (Adobe) a call from our enterprise account manager might be nice…
p
priyank_adobe
03/15/2023, 6:44 AM@Gareth Unfortunately, we cannot share what has changed as it is a security update. You have to apply the update along with jvm flags, we cannot skip that.
d
Dan Roberts
03/16/2023, 4:47 PMdo the steps/settings in the lockdown guide disallow the related attacks from being successful?