***** PLEASE NOTE: Applying these security-only patches will require a re-application of previously installed hot-fixes. Those hot-fixes are moved to a backup directory on your server when the security updates are installed to allow you to re-apply them. This will require a reboot of the CF Server.***** New update from Adobe related to ColdFusion: CF 2021 Server - https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-4.html CF 2021 PMT - https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-performance-monitoring-toolset-update-4.html CF 2018 Server - https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-14.html CF 2018 PMT - https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-performance-monitoring-toolset-update-5.html Community Blogpost - https://coldfusion.adobe.com/2022/05/coldfusion-2021-and-2018-may-security-updates

Are the updates just library upgrades or are there any bug fixes / speed improvements - not seeing any references to them in the linked pages. Update 3 / 13 had no bug fixes in them as I recall so we should be due a fair few. I know we are waiting on a speed hotfix to be added to the main updates for a start along with the query of query issues from the last update

Where is jQuery UI used?

CF Admin, at least.

@priyank_adobe In the update information for CF2018u14, in the “Post installation” section, it states “Post installation, you must rebuild or reconfigure your connector.” In the “Connector configuration” table below, however, it indicates that U14 does not require connector recreation. Which is correct?

If you are upgrading from update 2 then you have to rebuild the connector

hmm, the category suggests that this is a XSS issue, but the impact says Arbitrary code execution - I am assuming that you mean due to the XSS, but most security people will read that as server side arbitrary code execution (which is of course really bad) not client side (which I presume it actually is, and not nearly as bad)

@priyank_adobe These are what I am asking about:

We can correct that statement. Thanks @rstewart

Sorry again! slipped past everyone. Fixed now.

@priyank_adobe Are you moving to separate security updates? If so what is the plan for Bug fixes / improvements?

@dougcain That is still in pipeline however we tried to publish only security update this time without any bug fixes. General update will be release soon, we are working on it.

@priyank_adobe ok, thats what you did for 3 / 13 with no bug fixes in between - It would be handy if you could include this in the notes so it's clearer that it's security only and I guess there will be a separate bug fix / improvement set of updates "at some stage"

@priyank_adobe also, does that mean that all the out-of-cycle builds for various individual bugs will have to be re-applied, like they were with Update 3?

That's right @Tim

Approve of the approach of separating the security updates but the bug fixes etc. need to be managed carefully as we are already juggling 2 hotfix patches which will need re-applying across a bunch of instances after the update, I can see this getting quite messy.

What's the best way to get an accurate inventory of exactly what out-of-cycle patches are currently installed?

… and available?

Are prior out-of-cycle patches "guaranteed" to work with this update, whatever that means? Like, have they been tested with it?

The “installed” piece is easier: look in `cfusion/lib/updates/`: the JAR for the currently-applied update will be there along with any additional hotfixes. I believe they are also listed on the “Settings Summary” within the CF admin, if you have ready access to that.

Also, if you forget what patches were installed, the updater backs them up for you. So go to

cfusion/hf-updates/hf-2018-00014-330003/backup/lib/updates

(or

cfusion/hf-updates/hf-2021-000##-######/backup/lib/updates

) after applying the hotfix and you'll find the previous hotfix as well as any patch jars you had.

this is where scripted builds come in handy - it reminds me how much harder running "standard" installs are - docker / infrastructure as code for the win 🙂

I do see 42412383 in Update Level in Settings, and in lib/updates, but my questionable memory thought there was more than one installed. I guess not?

That one (4212383) is the only one I have in place on my CF2018u13 servers at this time.

I found a message in my notes about an older one re "Datasource Service is unavailable", 4211421, but I think that must be obsolete, don't see signs of it on our production server. I like quick fixes, but I'm not a huge fan of ad hoc patch knitting...

I have the 4212383 one on my 2018u13 servers too - it's the patch for Query-of-Query problems I believe.

i've got 4212127, which is the patch for when an encrypted db connection makes cfhttp stop working.

@cfvonner I got 4212383 from Adobe support in reference to QoQ issues in update 12, but it's not installed now, and I'm not seeing anything happening that makes me think we need it. I asked support if we needed to reapply it after HF 13, but never got an answer. Apologies, a few messages up I already said 4212383 IS installed on our servers.

My understanding was that Update 13 did require the QoQ hotfix to be reapplied.

It will move all the private patches ex QoQ and CFreport patches to backup folder. You will need to reapply that in updates folder and restart CF.

@Dave Merrill to my knowledge, the bug addressed by the patch 4212383 has not yet been fixed "officially" by any subsequent hotfixes - hopefully it will be rolled into the next update (2018u15)?

Does anyone have any thoughts about the best order to do the jdk-11.0.15 update and cf-2018-update-14? Does it matter? Guessing no.

Dave, there is no order for upgrading the JDK. But it is better to test your application with the JDK you chose to upgrade.

@Mark Takata (Adobe) I can never get the web based installer to work, for whatever reason. So I have to use the offline mode and install it manually. On https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-4.html is the unzip link (under #2) wrong? It's pointing to the Hotfix 002 zip file? It dosen't have the hotfix-004-330004.jar inside of the zip. I downloaded it separately and put it in the right spot under the unzipped folders. After a second try I got it working and upgrade correctly. Just wondering. hotfix 002 and 003 had new file names. Seems odd to use 002 for this one and not 003 or a new 004 name?

@mike42780 I'm with you, I've found installing on the cmd line to be quite reliable, where the web version in cf admin hasn't been, for me. I haven't explored this one yet though, so I'll be watching this thread for gotchas and oddities.

This is really interesting to hear, as I've had downstream issues when using the CLI occasionally, while the GUI has worked for me regularly with very few problems (except one but it turned out that was just me being a dumdum).

I've never gotten the GUI to work, unless Coldfusion was running as an administrator account. ie, as soon as you follow the lockdown guide, it stops working.

Right. Following the lockdown guide stopped it from working for me as well. CF isn't running under an admin account. I can download the install from the UI, but as soon as I try to install it I get errors. I forgot the various things I tried to get it to work in the past, but it didn't work in CF 2016. We skipped 2018, and it doesn't work in CF 2021 either. The manual install process got a little trickier in CF 2021 to me. Editing the neo_updates.xml and having the repository files gets trickier. Wish that could be streamlined like it was previously. Just run the java -jar ... command and that would be it.

it doesn't work in CF2018 either. Nor did it work in CF11. I forget if I ever tried it in CF10. And the first couple of CF2021 updates worked in cfpm for me, but 3 and 4 didn't.

cfpm update all

said there were no updates. I think it might be because it started downloading them to

bundles

instead of

hf-updates

.

Doing it in UI means everything is invisible. It even times out without saying anything. If there's a real-world-adjusted guide to command line install for 2021 I'd appreciate a pointer to it. I'll be doing our first 2021 installs pretty soon.

The key to getting the CF Admin GUI updater to work when you've run the lockdown guide is to grant the non-admin user account assigned to the ColdFusion service the permissions to start/stop the service. Here is an Adobe blog post that discusses this in detail: https://coldfusion.adobe.com/2016/05/applying-update-on-a-coldfusion-instance-running-with-a-non-admin-user/. An easier way to actually set the permissions you need is to use this 3rd party tool: https://www.coretechnologies.com/products/ServiceSecurityEditor/ (credit to @carehart or @foundeo who put me on to this tool several years ago).

@cfvonner I'll have to check this out! Bookmarking this. Thanks.

Yeah, it's an awesome tool for folks on windows, and I've been meaning to do a post on it. Perhaps today's the day! :-)