http://coldfusion.com logo
#adobe
Title
# adobe
m

Mark Takata (Adobe)

05/10/2022, 2:59 PM
***** PLEASE NOTE: Applying these security-only patches will require a re-application of previously installed hot-fixes. Those hot-fixes are moved to a backup directory on your server when the security updates are installed to allow you to re-apply them. This will require a reboot of the CF Server.***** New update from Adobe related to ColdFusion: CF 2021 Server - https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-4.html CF 2021 PMT - https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-performance-monitoring-toolset-update-4.html CF 2018 Server - https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-14.html CF 2018 PMT - https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-performance-monitoring-toolset-update-5.html Community Blogpost - https://coldfusion.adobe.com/2022/05/coldfusion-2021-and-2018-may-security-updates
👍 3
d

dougcain

05/10/2022, 3:06 PM
Are the updates just library upgrades or are there any bug fixes / speed improvements - not seeing any references to them in the linked pages. Update 3 / 13 had no bug fixes in them as I recall so we should be due a fair few. I know we are waiting on a speed hotfix to be added to the main updates for a start along with the query of query issues from the last update
👆 2
a

aliaspooryorik

05/10/2022, 3:06 PM
Where is jQuery UI used?
t

Tim

05/10/2022, 3:08 PM
CF Admin, at least.
👀 1
r

rstewart

05/10/2022, 3:12 PM
@priyank_adobe In the update information for CF2018u14, in the “Post installation” section, it states “Post installation, you must rebuild or reconfigure your connector.” In the “Connector configuration” table below, however, it indicates that U14 does not require connector recreation. Which is correct?
p

priyank_adobe

05/10/2022, 3:14 PM
If you are upgrading from update 2 then you have to rebuild the connector
If you are updating from update 3 to update 4, it is not required.
f

foundeo

05/10/2022, 3:15 PM
hmm, the category suggests that this is a XSS issue, but the impact says Arbitrary code execution - I am assuming that you mean due to the XSS, but most security people will read that as server side arbitrary code execution (which is of course really bad) not client side (which I presume it actually is, and not nearly as bad)
r

rstewart

05/10/2022, 3:17 PM
@priyank_adobe These are what I am asking about:
p

priyank_adobe

05/10/2022, 3:20 PM
We can correct that statement. Thanks @rstewart
s

saghosh

05/10/2022, 3:22 PM
Sorry again! slipped past everyone. Fixed now.
Please check in a while.
d

dougcain

05/10/2022, 3:25 PM
@priyank_adobe Are you moving to separate security updates? If so what is the plan for Bug fixes / improvements?
p

priyank_adobe

05/10/2022, 3:26 PM
@dougcain That is still in pipeline however we tried to publish only security update this time without any bug fixes. General update will be release soon, we are working on it.
❤️ 1
d

dougcain

05/10/2022, 3:29 PM
@priyank_adobe ok, thats what you did for 3 / 13 with no bug fixes in between - It would be handy if you could include this in the notes so it's clearer that it's security only and I guess there will be a separate bug fix / improvement set of updates "at some stage"
t

Tim

05/10/2022, 3:30 PM
@priyank_adobe also, does that mean that all the out-of-cycle builds for various individual bugs will have to be re-applied, like they were with Update 3?
p

priyank_adobe

05/10/2022, 3:31 PM
That's right @Tim
d

dougcain

05/10/2022, 3:32 PM
Approve of the approach of separating the security updates but the bug fixes etc. need to be managed carefully as we are already juggling 2 hotfix patches which will need re-applying across a bunch of instances after the update, I can see this getting quite messy.
💯 3
👆 1
d

Dave Merrill

05/10/2022, 3:35 PM
What's the best way to get an accurate inventory of exactly what out-of-cycle patches are currently installed?
r

rstewart

05/10/2022, 3:36 PM
… and available?
3
d

Dave Merrill

05/10/2022, 3:43 PM
Are prior out-of-cycle patches "guaranteed" to work with this update, whatever that means? Like, have they been tested with it?
r

rstewart

05/10/2022, 3:43 PM
The “installed” piece is easier: look in `cfusion/lib/updates/`: the JAR for the currently-applied update will be there along with any additional hotfixes. I believe they are also listed on the “Settings Summary” within the CF admin, if you have ready access to that.
c

cfvonner

05/10/2022, 3:47 PM
Also, if you forget what patches were installed, the updater backs them up for you. So go to
cfusion/hf-updates/hf-2018-00014-330003/backup/lib/updates
(or
cfusion/hf-updates/hf-2021-000##-######/backup/lib/updates
) after applying the hotfix and you'll find the previous hotfix as well as any patch jars you had.
1
d

dougcain

05/10/2022, 3:49 PM
this is where scripted builds come in handy - it reminds me how much harder running "standard" installs are - docker / infrastructure as code for the win 🙂
d

Dave Merrill

05/10/2022, 3:51 PM
I do see 42412383 in Update Level in Settings, and in lib/updates, but my questionable memory thought there was more than one installed. I guess not?
r

rstewart

05/10/2022, 3:52 PM
That one (4212383) is the only one I have in place on my CF2018u13 servers at this time.
d

Dave Merrill

05/10/2022, 3:57 PM
I found a message in my notes about an older one re "Datasource Service is unavailable", 4211421, but I think that must be obsolete, don't see signs of it on our production server. I like quick fixes, but I'm not a huge fan of ad hoc patch knitting...
c

cfvonner

05/10/2022, 5:09 PM
I have the 4212383 one on my 2018u13 servers too - it's the patch for Query-of-Query problems I believe.
t

Tim

05/10/2022, 5:10 PM
i've got 4212127, which is the patch for when an encrypted db connection makes cfhttp stop working.
d

Dave Merrill

05/10/2022, 5:31 PM
@cfvonner I got 4212383 from Adobe support in reference to QoQ issues in update 12, but it's not installed now, and I'm not seeing anything happening that makes me think we need it. I asked support if we needed to reapply it after HF 13, but never got an answer. Apologies, a few messages up I already said 4212383 IS installed on our servers.
r

rstewart

05/10/2022, 5:32 PM
My understanding was that Update 13 did require the QoQ hotfix to be reapplied.
1
p

priyank_adobe

05/10/2022, 5:33 PM
It will move all the private patches ex QoQ and CFreport patches to backup folder. You will need to reapply that in updates folder and restart CF.
1
c

cfvonner

05/10/2022, 6:47 PM
@Dave Merrill to my knowledge, the bug addressed by the patch 4212383 has not yet been fixed "officially" by any subsequent hotfixes - hopefully it will be rolled into the next update (2018u15)?
d

Dave Merrill

05/11/2022, 1:55 PM
Does anyone have any thoughts about the best order to do the jdk-11.0.15 update and cf-2018-update-14? Does it matter? Guessing no.
p

priyank_adobe

05/11/2022, 3:30 PM
Dave, there is no order for upgrading the JDK. But it is better to test your application with the JDK you chose to upgrade.
❤️ 1
👍 1
m

mike42780

05/11/2022, 7:34 PM
@Mark Takata (Adobe) I can never get the web based installer to work, for whatever reason. So I have to use the offline mode and install it manually. On https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-4.html is the unzip link (under #2) wrong? It's pointing to the Hotfix 002 zip file? It dosen't have the hotfix-004-330004.jar inside of the zip. I downloaded it separately and put it in the right spot under the unzipped folders. After a second try I got it working and upgrade correctly. Just wondering. hotfix 002 and 003 had new file names. Seems odd to use 002 for this one and not 003 or a new 004 name?
d

Dave Merrill

05/13/2022, 6:41 PM
@mike42780 I'm with you, I've found installing on the cmd line to be quite reliable, where the web version in cf admin hasn't been, for me. I haven't explored this one yet though, so I'll be watching this thread for gotchas and oddities.
m

Mark Takata (Adobe)

05/13/2022, 6:47 PM
This is really interesting to hear, as I've had downstream issues when using the CLI occasionally, while the GUI has worked for me regularly with very few problems (except one but it turned out that was just me being a dumdum).
t

Tim

05/13/2022, 7:14 PM
I've never gotten the GUI to work, unless Coldfusion was running as an administrator account. ie, as soon as you follow the lockdown guide, it stops working.
m

mike42780

05/13/2022, 7:25 PM
Right. Following the lockdown guide stopped it from working for me as well. CF isn't running under an admin account. I can download the install from the UI, but as soon as I try to install it I get errors. I forgot the various things I tried to get it to work in the past, but it didn't work in CF 2016. We skipped 2018, and it doesn't work in CF 2021 either. The manual install process got a little trickier in CF 2021 to me. Editing the neo_updates.xml and having the repository files gets trickier. Wish that could be streamlined like it was previously. Just run the java -jar ... command and that would be it.
t

Tim

05/13/2022, 7:48 PM
it doesn't work in CF2018 either. Nor did it work in CF11. I forget if I ever tried it in CF10. And the first couple of CF2021 updates worked in cfpm for me, but 3 and 4 didn't.
cfpm update all
said there were no updates. I think it might be because it started downloading them to
bundles
instead of
hf-updates
.
d

Dave Merrill

05/13/2022, 9:45 PM
Doing it in UI means everything is invisible. It even times out without saying anything. If there's a real-world-adjusted guide to command line install for 2021 I'd appreciate a pointer to it. I'll be doing our first 2021 installs pretty soon.
c

cfvonner

05/16/2022, 3:39 PM
The key to getting the CF Admin GUI updater to work when you've run the lockdown guide is to grant the non-admin user account assigned to the ColdFusion service the permissions to start/stop the service. Here is an Adobe blog post that discusses this in detail: https://coldfusion.adobe.com/2016/05/applying-update-on-a-coldfusion-instance-running-with-a-non-admin-user/. An easier way to actually set the permissions you need is to use this 3rd party tool: https://www.coretechnologies.com/products/ServiceSecurityEditor/ (credit to @carehart or @foundeo who put me on to this tool several years ago).
m

mike42780

05/16/2022, 3:59 PM
@cfvonner I'll have to check this out! Bookmarking this. Thanks.
c

carehart

05/16/2022, 4:08 PM
Yeah, it's an awesome tool for folks on windows, and I've been meaning to do a post on it. Perhaps today's the day! :-)
👍 1
7 Views