File
ColdFusion (2018 release) Update 9
If you are applying Update 9 without applying Update 8, follow the Post Installation steps mentioned for Update 8. If you are on Update 8, you can also refer to the security bulletin APSB20-16.
Note: If you are already on Update 8, you can apply Update 9 without performing any intermediary steps.
If you are updating via ColdFusion Administrator:
The minimum update versions are Update 4 or higher for ColdFusion (2018 release), due to a recent change in code signing certificate.
These are mandatory pre-requisites before updating.
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2018 release) Updates.
ColdFusion (2018 release) Update 9 (release date, 14 April, 2020) addresses vulnerabilities that are mentioned in the security bulletin, APSB20-18.
The SameSite attribute allows you to declare whether your cookies must be restricted to first-party.
In Google Chrome, Update 80 defaults all cookies to first-party, if the cookies do not have the SameSite attribute defined. Previously, if SameSite wasn’t set, it defaulted to none, which enabled third-party sharing by default.
The cfcookie tag has a new attribute, SameSite.
The SameSite attribute supports these values:
1. CFCookie
<cfcookie name="name" value="value" sameSite="Strict | Lax | None">
2. Auth cookie / Session Cookie (CFID, CFTOKEN)
<cfset cookstruct = {samesite: "Lax"}
<cfapplication authCookie=cookStruct sessionCookie=cookstruct >
Example- cfapplication tag
<cfset cookies = {httponly='true', timeout=createTimeSpan(1, 0, 0, 0), sameSite='Strict'}>
<cfset authcookies = {samesite='Lax'}>
<cfapplication name="MyApp" sessionmanagement="Yes" authCookie=authcookies sessioncookie=cookies>
Example- cfm
<cfcookie
name = "newCookieName"
value = "newCookieValue"
expires = "20"
samesite="Strict"
/>
Usage- Application.cfc
In this update, the following flags have been added.
this.sessioncookie.samesite = "Strict | Lax | None"
this.authcookie.samesite= "Strict | Lax | None"
Example
component {
this.name = "MyApp";
this.sessioncookie.samesite = "Strict";
this.authcookie.samesite = "Lax";
this.sessionmanagement = true;
}
Example- Test.cfm
<cflogin>
<cfloginuser name="john" password="pwd" roles="" />
</cflogin>
Usage- cfapplication tag
<cfset cookiest = {httponly='true', timeout=createTimeSpan(1, 0, 0, 0), samesite='Strict | Lax | None'}>
<cfset authcookiest = {samesite='Strict | Lax | None'}>
<cfapplication name="newApp" sessionmanagement="Yes" authCookie=#authcookiest# sessioncookie=#cookiest# >
Note: If the SameSite attribute is missing in cfapplication tag or Application.cfc, rthe espective session/auth cookies will take the server level SameSite attribute, which can be configured in ColdFusion administrator under the Memory Variables section.
In Update 9 of the 2018 release of ColdFusion, the sameSite attribute may or may not work out of the box as expected for various application servers. You must refer to your application server's documentation for more details.
There are, however, workarounds, but you must see the official docs of the application server.
EAP/Wildfly
There are a couple of workarounds:
For more information, see Configuring SameSite flag on JSESSIONID cookies for EAP 7.
Tomcat
In context.xml, you can set the SameSite attribute.
<Context>
<CookieProcessor sameSiteCookies="strict" />
</Context>
For more information, see the docs.
WebSphere
WebSphere recommends using Apache HTTP Server to replace existing cookies. For more information, see the WebSphere docs.
WebSphere has released a fix for this issue. Download the fix for your version.
For instructions on how to install this update, see Server Update section. For any questions related to updates, see this FAQ.
Windows: <cf_root>/jre/bin/java.exe -jar <jar-file-dir>/hotfix-009-318650.jar
Linux-based platforms: <cf_root>/jre/bin/java -jar <jar-file-dir>/hotfix-009-318650.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .
For further details on how to manually update the application, see the help article.
After applying this update, the ColdFusion build number should be 2018,0,09,318650.
Post installation, we recommend rebuilding or reconfiguring your connector.
Note: This holds true only if you have applied Update 9 without applying Update 8.
If you see Error 503 or Error 403 when firing up your websites, see the troubleshooting steps.
After you've installed Update 9 (with a pre-configured connector), and have locked down the server using the Auto-Lockdown installer, you may encounter Error 403 forbidden, when accessing the web pages.
To fix this issue, follow the steps mentioned below:
Locations of files
File |
Location |
---|---|
server.xml |
{cf.instance.home}\runtime\conf |
AJP connector in server.xml |
AJP connector has protocol attribute set as AJP/1.3. For example, <Connector port="8018" protocol="AJP/1.3" packetSize="65535" redirectPort="8451" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000" secret=”abcd” /> |
secret in server.xml |
The secret value in server.xml is present in the Connector Node with the attribute name as secret. For example, <Connector port="8018" protocol="AJP/1.3" packetSize="65535" redirectPort="8451" tomcatAuthentication="false" maxThreads="500" connectionTimeout="60000" secret=”abcd” /> |
workers.properties in IIS |
{cf.home}/config/wsconfig/<magic_folder_number> |
workers.properties in Apache |
APACHE_HOME/conf/ |
secret in workers.properties |
worker.cfusion.secret=<secret> |
To uninstall the update, perform one of the following:
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
Sign in to your account