ColdFusion (2023 release) Update 18
Security recommendations
For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guide.
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
View ColdFusion (2023 release) Updates for more information.
What's new and changed
ColdFusion (2023 release) Update 18 (release date: 13 January, 2026) addresses CVE-2025-66516, a critical XXE in Apache Tika libraries. Adobe strongly recommends that you apply this update as soon as possible. Note that this update is cumulative and includes fixes from previous updates.
This update upgrades the embedded Apache Tika libraries in ColdFusion from Apache Tika 1.21 to Apache Tika 2.9.4, along with necessary dependencies, providing the latest security and stability enhancements, while preserving existing application behavior.
View the security bulletin, APSB26-12, for more information.
If you have added custom entries to the tika-config.xml file, you must either:
- Back up the contents of the file before applying the update, or
- Restore it from the update backup after applying the update.
The backup copy of the file can be found at: hf-updates\hf-2023-00018-330879\backup\lib\tika-config.xml
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
ColdFusion JDK flag requirements
COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers
On JEE installations, set the following JVM flag, " -Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated the the latest update.
All installed packages also get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer from the link.
- Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerRepositoryUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerRepositoryUnzippedPath>\bundles\updateinstallers\hotfix-018-330879.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerRepositoryUnzippedPath>/bundles/updateinstallers/hotfix-018-330879.jar
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
If you are on Java 17.0.8 or higher and want to apply the Hotfix manually, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.
However, if you are applying the update from the Administrator, you do not require any flag.
Post installation
After applying this update, the ColdFusion build number should be 2023,0,18,330879
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2023-00018-330879/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2023-00018-330879}/backup directory to {cf_install_home}/{instance_name}/
Uninstalling this update only removes the core update itself. Any ColdFusion packages that were updated as part of this release remain at their latest compatible versions. If you need to revert package versions, you must do so separately; uninstalling the core update does not roll back package versions automatically.
Q: If I uninstall ColdFusion 2023 Update 18, will all the packages installed with it be rolled back?
A: No. Package rollback depends on the minimum core dependency of each package:
- Packages with a minimum core dependency of update 18 (that is, they specifically require this core level) are rolled back when you uninstall this core update.
- Packages with a minimum core dependency of update 17 or update 16 remain installed at their latest compatible versions and are not rolled back automatically when you uninstall the core update.
Connector configuration
| 2023 Update | Connector recreation required |
|---|---|
| Update 18 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 17 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 16 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 15 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 14 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 13 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 12 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 11 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 10 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 9 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 8 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 7 | No
However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 6 | No However, upgrading from Update 4 and earlier requires you to recreate the connector. View the following for more information on creating and configuring connectors: |
| Update 5 | Yes |
| Update 4 | No |
| Update 3 | No |
| Update 2 | No |
| Update 1 | No |
Package updates
| Update | Packages updated |
|---|---|
| Update 18 | Yes
|
| Update 17 | Yes
|
| Update 16 | Yes
|
| Update 15 | Yes The following packages are updated:
|
| Update 14 | Yes The following packages are updated:
|
| Update 13 | Yes The following packages are updated:
|
| Update 12 | Yes The pmtagent package is updated. |
| Update 11 | Yes |
| Update 10 | No |
| Update 9 | No |
| Update 8 | Yes |
| Update 7 | Yes |
| Update 6 | No |
| Update 5 | Yes |
| Update 4 | No |
| Update 3 | No |
| Update 2 | No |
| Update 1 | No |
