ColdFusion (2016 release) Update 15

Note:

If you are applying Update 15 without applying Update 14, follow the Post Installation steps mentioned for Update 14.

Note: If you are already on Update 14, you can install Update 15 without any intermediate procedure.

Note:

If you are updating via ColdFusion Administrator:

The minimum update versions are Update 11 and higher for ColdFusion (2016 release), due to a recent change in code signing certificate.

The updates below are cumulative and contains all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.

To install previous updates, see ColdFusion (2016 release) Updates.

Updates in this release

ColdFusion (2016 release) Update 15 (release date, 14 April, 2020) includes fixes for the the security vulnerabilities that were reported in APSB20-18.

SameSite attribute

The SameSite attribute allows you to declare whether your cookies must be restricted to first-party.

In Google Chrome, Update 80 defaults all cookies to first-party, if the cookies do not have the SameSite attribute defined. Previously, if SameSite wasn’t set, it defaulted to none, which enabled third-party sharing by default.

The cfcookie tag has a new attribute, sameSite.

The SameSite attribute supports these values:

  • Strict
  • Lax
  • None

Usage

1. CFCookie

<cfcookie name="name" value="value" samesite="Strict | Lax | None">

2. Auth cookie / Session Cookie (CFID, CFTOKEN)
<cfset cookstruct = {samesite: "Lax"}
<cfapplication authCookie=cookstruct sessioncookie=cookstruct >

Usage- Application.cfc

In this update, the following flags have been added.

this.sessioncookie.samesite = "Strict | Lax | None"

this.authcookie.samesite= "Strict | Lax | None"

Example

component {

                this.name = "MyApp";

                this.sessioncookie.samesite = "Strict";

                this.authcookie.samesite = "Lax";

                this.sessionmanagement = true;

}

Example- Test.cfm

<cflogin>

    <cfloginuser name="john" password="pwd" roles="" />

</cflogin>

Usage- cfapplication tag

<cfset cookiest = {httponly='true', timeout=createTimeSpan(1, 0, 0, 0), samesite='Strict | Lax | None'}>

<cfset authcookiest = {samesite='Strict | Lax | None'}>

<cfapplication name="newApp" sessionmanagement="Yes" authCookie=#authcookiest# sessioncookie=#cookiest# >

Note: If the SameSite attribute is missing in cfapplication tag or Application.cfc, rthe espective session/auth cookies will take the server level SameSite attribute, which can be configured in ColdFusion administrator under the Memory Variables section.

In Update 15 of the 2016 release of ColdFusion, the sameSite attribute may or may not work out of the box as expected for various application servers. You must refer to your application server's documentation for more details.

There are, however, workarounds, but you must see the official docs of the application server.

JEE setup workaround

EAP/Wildfly

There are a couple of workarounds:

  1. Write a custom filter in undertow (applicable to EAP 7.2 and above).
  2. Set the SameSite flag by mod_header's Header directive of Apache HTTPD server in front of JBoss EAP.

For more information, see Configuring SameSite flag on JSESSIONID cookies for EAP 7.

Tomcat

In context.xml,  you can set the SameSite attribute.

<Context>

   <CookieProcessor sameSiteCookies="strict" />

</Context>

For more information, see the docs.

WebSphere

WebSphere recommends using Apache HTTP Server to replace existing cookies. For more information, see the WebSphere official docs.

WebSphere has released a fix for this issue. Download the fix for your version.

Prerequisites

  1. On 64-bit computer, use 32-bit JRE for 32-bit ColdFusion and 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

Installation

For instructions on how to install this update, see Server Update section. For any questions related to updates, see this FAQ

  • The update can be installed from the Administrator of a ColdFusion instance or through the command-line option.
  • Windows users can launch the ColdFusion Administrator using Start > All Programs > Adobe > Coldfusion 2016 > Administrator.
  • Microsoft Windows 7, Windows 8, Windows 10, Windows Server 2008, and Windows Server 2012 users must use the “Run as Administrator” option to launch wsconfig tool at {cf_install_home}/{instance_name}/runtime/bin.
  • If you get the following error when installing the update using the Download and Install option, ensure that the folder {cf_install_home}/{instance_name}/hf_updates has write permission: "An error occurred when performing a file operation write on file {cf_install_home}/{instance_name}/hf-updates/hotfix_015.properties".
  • The connector configuration files are backed up at {cf_install_home}/config/wsconfig/backup. Add back any custom changes made to the worker.properties file after reconfiguring the connector.

Installing the update manually

  1. Click the link to download the JAR.
  2. Execute the following command on the downloaded JAR. You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

    Windows: <cf_root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-015-318650.jar

    Linux-based platforms: <cf_root>/jre/bin/java -jar <jar-file-dir>/hotfix-015-318650.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers.

For further details on how to manually update the application, see the help article.

Post installation

Note:

After applying this update, the ColdFusion build number should be 2016,0,15,318650.

Post installation, we recommend rebuilding or reconfiguring your connector.

Note: This holds true only if you have applied Update 15 without applying Update 14.

If you see Error 503 or Error 403 when firing up your websites, see the troubleshooting steps in the tech notes for Update 14.

Uninstallation

To uninstall the update, perform one of the following:

  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2016-00015-318650/uninstall/uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2016-00014-318650}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

2016 Update Connector recreation required
Update 15 Yes
Update 14 Yes
Update 13 Yes
Update 12 Yes
Update 11 No
Update 10 No
Update 9 No
Update 8 Yes
Update 7 No
Update 6 No
Update 5 No
Update 4 No
Update 3 Yes
Update 2 No
Update 1 No