In the 2021 U7 and 2018 U17 Tech Note / KB, it states "We have also updated the lockdown installer for the version in this update. This addresses a security issue. To apply this fix, you should download and install the lockdown installers from Download ColdFusion.". We typically apply the lockdowns manually due to the unreliable nature of the automatic lockdown we've found in the past on our particular environments. Can I get a clarification on what the new lockdown installer does differently to "address a security issue"? We would want to apply this manually. The wording seems to imply that fixing this "security issue" is part of the update 7 process for a production server. REF: https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-7.html REF: https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-17.html

Chris, FWIW I raised this same question in my blog post today (great minds!) I ask in the post whether the update to the lockdown tool is because it HAS a security issue? or just so that can somehow ADDRESS a security issue. In either case, those using it should get the refreshed lockdown installer. (A question I forgot to ask is whether someone who HAD run it is somehow expected to RE-RUN it. I just updated my post to ask add it there.)

No word about this from Adobe? @Mark Takata (Adobe)

I can confirm I've heard none, separately from this (no one from Adobe ever responds with comments on my blog posts. I don't know if it's a corporate thing or a personal one. I try not to let it bother me, but it is rather sad.) I will add that Mark did kindly quote a paragraph from it in a request to Saurav (in another thread here) asking him to improve some text as I'd proposed in my post...so I've got that going for me, which is nice. 🙂 (Caddyshack reference)

@priyank_adobe can you comment here? The directions are unclear and I am not cleared to comment on security matters...

Mark, can you comment on my previous reply? Is there some directive explaining what I see? Sincere question, not whining. I'd not thought about it much until today.

Charlie, security matters are never discussed publicly on forums. I am literally barred from discussing anything having to do with security unless I have specific, written permission to post certain things. This is not an Adobe thing, this is the way things work in a corporate environment. I learned this the hard way very early on. I do not wish to speak to those folks again in that context if I can help it. Security + legal are the Section 31 of corp. And it is certainly not a personal knock on you or anybody else, you just happen to be one of the most technical folks in the community and post about security a fair bit, hence your observation. BTW the path to getting permission from the security folks is shorter for Priyank than it is for me, hence why I will often tag him. However, he is usually up to his ears in critical work.

Thanks, but I was speaking of all posts on my blog, not just security ones. Still, the clarifications on those may help many readers.

I just want to know: "If we used the auto lock-down tool previously, do we need to rerun it again after patching to update 7?"