Pete FreitagLatest ColdFusion Security Updates - October 2024
By Pete Freitag
I am going to attempt to keep this page updated with the latest ColdFusion Security Updates and Hotfixes published by Adobe. This will allow me to update this page as more info becomes available about updates. I will also try to back fill this so it has past info as well.
Latest ColdFusion Update
September 2024 - ColdFusion 2023 Update 11, ColdFusion 2021 Update 17
Release Date: October 15, 2024
This update was not a security hotfix update, although it did update some third party libraries with vulnerabilities (such as netty).
Links & Resources
- CF2023 Update 11 - Adobe KB article for ColdFusion 2023 Update 10
- CF2021 Update 17 - Adobe KB article for ColdFusion 2021 Update 16
- Forum Thread - Adobe ColdFusion forum thread discussing ColdFusion 2023 Update 11 and CF 2021 Update 17.
Latest ColdFusion Security Update
September 2024 - ColdFusion 2023 Security Update 10, ColdFusion 2021 Security Update 16
Release Date: September 10, 2024
Adobe Product Security Bulletin APSB24-71 fixes one critical vulnerability.
Vulnerabilities Fixed
- CVE-2024-41874 - critical (9.8) Deserialization of Untrusted Data vulnerability allowing for arbitrary code execution
Links & Resources
- APSB24-71 - Adobe Product Security Bulletin
- CF2023 Update 10 - Adobe KB article for ColdFusion 2023 Update 10
- CF2021 Update 16 - Adobe KB article for ColdFusion 2021 Update 16
- Forum Thread - Adobe ColdFusion forum thread discussing ColdFusion 2023 Update 10 and CF 2021 Update 16.
Notes / Issues
No updates to connector or packages in this release. Fixed bug CF-4223435 caused by previous update.
Past ColdFusion Security Updates
August 2024 - ColdFusion 2023 Update 9, ColdFusion 2021 Update 15
Release Date: August 20, 2024
This ColdFusion update primarily updated the version of Tomcat from 9.0.85 to 9.0.93.
Links & Resources
- CF2023 Update 10 - Adobe KB article for ColdFusion 2023 Update 9
- CF2023 Update 16 - Adobe KB article for ColdFusion 2021 Update 15
- Issue: Packages Removed - Charlie Arehart discusses the issue of removed packages caused by this update.
- Info: Charlie - Charlie Arehart discusses the details of the update.
Notes / Issues
No connector or package updates in this release.
Bug CF-4223435 removed packages previously installed during the update process (see link above). Fixed CF2023 update 10, CF2021 Update 16.
Latest ColdFusion Security Updates - October 2024 was first published on September 10, 2024.
If you like reading about coldfusion, security, updates, or hotfixes then you might also like:
- Determining Which Cumulative Hotfixes are Installed on ColdFusion
- You May Need to Reapply CF Security Hotfix CVE-2009-1877
- ColdFusion Server Security Scanner
- ColdFusion Summit 2024 Slides: 20 ways to secure CF
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.