ColdFusion (2016 release) Update 10

Note:

The update is cumulative and contains all previous updates applied to ColdFusion (2016 release).

Updates in this release

ColdFusion (2016 release) Update 10 (release date, 01 March 2019) includes the following changes:

  • Addresses security vulnerabilities mentioned in the security bulletin APSB19-14.
  • In the ColdFusion Administrator, in Server Settings > Settings, there are is an option Blocked file extensions for CFFile uploads.  By default, the following extensions are blocked. For more information, see Server Settings
    • AS
    • ASP
    • ASPX
    • BIN
    • CFC
    • CFM
    • CFML
    • CFR
    • CFSWF
    • DMG
    • EXE
    • HBXML
    • JSP
    • JSPX
    • JWS
    • MXML
    • PHP
    • SWC
    • SWS
  • A new application setting blockedExtForFileUpload. For more information, see Application variables.
  • The Admin API, setRuntimeProperty has a new property, BlockedExtForFileUpload. The values are a comma-separated list of file extensions to restrict file uploading of the appropriate files. For example,
<cfscript>
    runtime = createObject("component", "CFIDE.adminapi.runtime");
    runtime.setRuntimeProperty("BlockedExtForFileUpload","CFM,CFC,ASP, JSP");
</cfscript>

Note:

For the security fixes to take effect, ColdFusion must be on JDK 1.8.0_121 or higher.

Note:

To view all ColdFusion (2016 release) updates, see the Updates page.

Known issues

Issue #1

There is an error on Server Settings > Security section if you log in as a non-Admin ColdFusion user.

Issue #2

ColdFusion (2016 release) ODBC Server service does not start in some cases if the file msvcr100.dll is missing.

Workaround

Copy the file msvcr100.dll from the backup folder CF_HOME/cfusion/hf-updates/<update folder>/backup/db/slserver54/bin to:

  1. [CF_HOME]\cfusion\db\slserver54\bin
  2. [CF_HOME]\cfusion\db\slserver54\admin

If the file does not exist in the backup, download the file and copy it to the locations mentioned above.

Prerequisites

  1. On 64-bit computer, use 32-bit JRE for 32-bit ColdFusion and 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

Installation

For instructions on how to install this update, see Server Update section. For any questions related to updates, see this FAQ

  • The update can be installed from the Administrator of a ColdFusion instance or through the command-line option.
  • Windows users can launch the ColdFusion Administrator using Start > All Programs > Adobe > Coldfusion 2016 > Administrator.
  • Microsoft Windows 7, Windows 8, Windows 10, Windows Server 2008, and Windows Server 2012 users must use the “Run as Administrator” option to launch wsconfig tool at {cf_install_home}/{instance_name}/runtime/bin.
  • If you get the following error when installing the update using the Download and Install option, ensure that the folder {cf_install_home}/{instance_name}/hf_updates has write permission: "An error occurred when performing a file operation write on file {cf_install_home}/{instance_name}/hf-updates/hotfix_010.properties".
  • The connector configuration files are backed up at {cf_install_home}/config/wsconfig/backup. Add back any custom changes made to the worker.properties file after reconfiguring the connector.

Installing the update manually

  1. Click the link to download the JAR.
  2. Execute the following command on the downloaded JAR. You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

    Windows: <cf_root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-010-314028.jar

    Linux-based platforms: <cf_root>/jre/bin/java -jar <jar-file-dir>/hotfix-010-314028.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers.

For further details on how to manually update the application, see the help article.

Post installation

After applying this update, the ColdFusion build number should be 2016,0,10,314028.

Uninstallation

To uninstall the update, perform one of the following:

  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2016-00010-314028/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2016-00010-314028}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

2016 Update Connector recreation required
Update 10 * No
Update 9 No
Update 8 Yes
Update 7 No
Update 6 No
Update 5 No
Update 4 No
Update 3 Yes
Update 2 No
Update 1 No

* If you have already reconfigured your connector after upgrading to Update 9, then you can skip reconfiguring the connector in Update 10.

However, if you are upgrading to Update 10 from any other update except Update 9, you must reconfigure the connector.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy