Pete FreitagCareful applying CF11u16, CF2016u8, CF2018u2
Published on February 14, 2019
By Pete Freitag
By Pete Freitag
Update: Adobe has released CF11 Update 17 and ColdFusion 2016 Update 9 to address problems outlined in this blog entry.
Adobe released new security updates and bug fixes for ColdFusion 11, 2016 and 2018 this week. Normally these things go pretty smooth and any issue introduced by an update is typically minimal, but I can't say that has been the case for this update.
You definitely want to test before applying this update.
Here are the issues I have been tracking:
- Scheduled Tasks Deleted after applying update. Bug CF-4204021, Forums Discussion
- queryExecute Bug - throws exception result of queryExecute is assigned in certain ways. Bug: CF-4204019
- Error in Apache Connector after applying CF2018 update 2. Forum Discussion
- Error manually running hotfix installer when not in Administrator group. CF-4204025 Blog Comment
- ODBC Service fails to start after applying update (this also happened on CF11 update 15 I think). Blog Comment Forum Discussion
- The PDFg service behaves unexpectedly in add-on services for ColdFusion 11 and ColdFusion (2016 release). This is listed as a Known Issue for CF11 update 16 and includes a fix.
- CFPDF Randomly errors with
Opetation could not be completed. Cause: An error occurred while reading source for the cfpdf tag.after installing CF11 update 16. The fix above did not fix this issue. A HackMyCF customer reported this to me, I don't have further info on this one yet. - Incompatible with Fusion Debug. Reported on Facebook Update: It turns out this may be an issue on all CF2018 versions.
- Query Variable is undefined after running query on CF11 update 16 with an Oracle DB. Forum Post
- Error:
Incompatible object argument for function call. I don't have a bug number, but apparently Adobe has a fix for this. - ColdFusion 2016 Update 8 breaks ColdFusion.Ajax.submitForm in IE 11. Bug: CF-4204031
- Mangled characters in CFMail From name. Bug: CF-4204050
- CFquery issue with queries using the cachedWithin attribute in a sandboxed environment. Forum post
- SSL encrypted datasources using a wildcard certificate to MS SQL Server (Connection String = EncryptionMethod=SSL; CryptoProtocolVersion=TLSv1.2; ValidateServerCertificate=0;). The HotFixes include an updated macromedia_drivers.jar file, which causes the issue. (workaround is to copy the backed-up original macromedia_drivers.jar file from the hf-updates directory back into cfusion/lib). Thanks Ben, see comments.
I will update this list if any other issues are found in ColdFusion 2018 Update 2, ColdFusion 2016 Update 8 or ColdFusion 11 Update 16.
Careful applying CF11u16, CF2016u8, CF2018u2 was first published on February 14, 2019.
If you like reading about adobe, or hotfix then you might also like:
- HackMyCF Updated for APSB11-29 Security Hotfix
- Recent ColdFusion Security Hotfix Updated Feb 2011
- Path Traversal Vulnerability Security Hotfix for ColdFusion Released
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.
CFBreak
The weekly newsletter for the CFML Community
Comments
Hey Pete,
There is also an issue in these updates (CF11 U16/17/18 and CF2016 U8/9/10) with SSL encrypted datasources using a wildcard certificate to MS SQL Server (Connection String = EncryptionMethod=SSL; CryptoProtocolVersion=TLSv1.2; ValidateServerCertificate=0;).
The HotFixes include an updated macromedia_drivers.jar file, which causes the issue. The Adobe team are aware and investigating. The official workaround is to copy the backed-up original macromedia_drivers.jar file from the hfudpates directory back into cfusion/lib.
You may want to add this to your list.
There is also an issue in these updates (CF11 U16/17/18 and CF2016 U8/9/10) with SSL encrypted datasources using a wildcard certificate to MS SQL Server (Connection String = EncryptionMethod=SSL; CryptoProtocolVersion=TLSv1.2; ValidateServerCertificate=0;).
The HotFixes include an updated macromedia_drivers.jar file, which causes the issue. The Adobe team are aware and investigating. The official workaround is to copy the backed-up original macromedia_drivers.jar file from the hfudpates directory back into cfusion/lib.
You may want to add this to your list.
by Ben Reid on 03/05/2019 at 10:59:02 PM UTC
@Ben Reid We ran into the same issue today when upgrading CF2016 Update 7 to Update 12. We use SSL DSN's connecting to Azure SQL and it broke them for the same wildcard certificate issue you mentioned. Since you reported this on Update 9 and it's now Update 12 and it's still not fixed I am wondering what's going on. Have you heard or read anymore about this issue. I don't mind just loading up the old macromedia_drivers.jar file but I have to wonder if some of the security fixes they implemented are "undone" by using the old JDBC drivers.
by MattW on 10/02/2019 at 10:20:24 PM UTC
@Ben @Pete - We are running into this same issue with a new install of CF2018. We applied the update before doing our first datasource connection. We have followed instructions for adding the SQL server's SSL certificate to the CF2018 \jre\lib\security\cacerts file, but still cannot get CF to use SSL to make its connection to SQL. Now wondering if it is related to the update and the issues you pointed out. Not sure how to "load up" the old macromedia_drivers.jar file or reverting to pre-update drivers.
by RandalB on 10/07/2019 at 6:56:06 PM UTC
@RandalB - not sure what update the latest installer has by default, but if it is less than update 2, you could try looking in the hf-updates folder, and then in the backup subfolder.
by Pete Freitag on 10/07/2019 at 7:05:33 PM UTC
@Pete - thanks for the suggestion. Before implementing we did some further testing and found where the server address in ColdFusion was just the IP address (internal server, no DNS) and the name in the exported SSL cert was the server's FQDN, which did not match. Adding hostNameInCertificate=xxxxxfqdn; to the connection string did the trick and we now have successful connection, despite the CF2018 u5.
by RandalB on 10/07/2019 at 8:27:29 PM UTC
I was able to get it working with the following connection string....
EncryptionMethod=SSL;Encrypt=yes;ValidateServerCertificate=false;
I couldn't use the hostNameInCertificate parameter as suggested above. This is because Azure SQL uses a CNAME and then multiple redirects before landing on one of their clustered machines. I had to set hostNameInCertificate to the actual endpoint to get it working. However, that endpoint could change from time to time depending on which back-end server in the cluster we get routed to. Specifying one of the those endpoints in that parameter would amount to a single point of failure on an otherwise redundant setup.
EncryptionMethod=SSL;Encrypt=yes;ValidateServerCertificate=false;
I couldn't use the hostNameInCertificate parameter as suggested above. This is because Azure SQL uses a CNAME and then multiple redirects before landing on one of their clustered machines. I had to set hostNameInCertificate to the actual endpoint to get it working. However, that endpoint could change from time to time depending on which back-end server in the cluster we get routed to. Specifying one of the those endpoints in that parameter would amount to a single point of failure on an otherwise redundant setup.
by MattW on 10/07/2019 at 10:32:19 PM UTC
This is incredibly frustrating. Do we have any idea what the critical security issue was, and if there is any workaround for it? i.e. the one last year was to remove the FCKeditor or whatever it was called.
Do we have a simple band-aid fix for the new security issues that we can put on until this patch is reliable?
It appears to be connector related?