ColdFusion (2016 release) Update 15
If you are applying Update 15 without applying Update 14, follow the Post Installation steps mentioned for Update 14.
Note: If you are already on Update 14, you can install Update 15 without any intermediate procedure.
If you are updating via ColdFusion Administrator:
The minimum update versions are Update 11 and higher for ColdFusion (2016 release), due to a recent change in code signing certificate.
The updates below are cumulative and contains all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2016 release) Updates.
ColdFusion (2016 release) Update 15 (release date, 14 April, 2020) includes fixes for the the security vulnerabilities that were reported in APSB20-18.
The SameSite attribute allows you to declare whether your cookies must be restricted to first-party.
In Google Chrome, Update 80 defaults all cookies to first-party, if the cookies do not have the SameSite attribute defined. Previously, if SameSite wasn’t set, it defaulted to none, which enabled third-party sharing by default.
The cfcookie tag has a new attribute, sameSite.
The SameSite attribute supports these values:
1. CFCookie
<cfcookie name="name" value="value" samesite="Strict | Lax | None">
2. Auth cookie / Session Cookie (CFID, CFTOKEN)
<cfset cookstruct = {samesite: "Lax"}
<cfapplication authCookie=cookstruct sessioncookie=cookstruct >
Usage- Application.cfc
In this update, the following flags have been added.
this.sessioncookie.samesite = "Strict | Lax | None"
this.authcookie.samesite= "Strict | Lax | None"
Example
component {
this.name = "MyApp";
this.sessioncookie.samesite = "Strict";
this.authcookie.samesite = "Lax";
this.sessionmanagement = true;
}
Example- Test.cfm
<cflogin>
<cfloginuser name="john" password="pwd" roles="" />
</cflogin>
Usage- cfapplication tag
<cfset cookiest = {httponly='true', timeout=createTimeSpan(1, 0, 0, 0), samesite='Strict | Lax | None'}>
<cfset authcookiest = {samesite='Strict | Lax | None'}>
<cfapplication name="newApp" sessionmanagement="Yes" authCookie=#authcookiest# sessioncookie=#cookiest# >
Note: If the SameSite attribute is missing in cfapplication tag or Application.cfc, rthe espective session/auth cookies will take the server level SameSite attribute, which can be configured in ColdFusion administrator under the Memory Variables section.
In Update 15 of the 2016 release of ColdFusion, the sameSite attribute may or may not work out of the box as expected for various application servers. You must refer to your application server's documentation for more details.
There are, however, workarounds, but you must see the official docs of the application server.
EAP/Wildfly
There are a couple of workarounds:
For more information, see Configuring SameSite flag on JSESSIONID cookies for EAP 7.
Tomcat
In context.xml, you can set the SameSite attribute.
<Context>
<CookieProcessor sameSiteCookies="strict" />
</Context>
WebSphere
WebSphere recommends using Apache HTTP Server to replace existing cookies. For more information, see the WebSphere official docs.
WebSphere has released a fix for this issue. Download the fix for your version.
For instructions on how to install this update, see Server Update section. For any questions related to updates, see this FAQ.
Windows: <cf_root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-015-318650.jar
Linux-based platforms: <cf_root>/jre/bin/java -jar <jar-file-dir>/hotfix-015-318650.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .
For further details on how to manually update the application, see the help article.
After applying this update, the ColdFusion build number should be 2016,0,15,318650.
Post installation, we recommend rebuilding or reconfiguring your connector.
Note: This holds true only if you have applied Update 15 without applying Update 14.
If you see Error 503 or Error 403 when firing up your websites, see the troubleshooting steps in the tech notes for Update 14.
To uninstall the update, perform one of the following:
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
Aanmelden bij je account