Adobe ColdFusion (2021 release) Updates Release Notes
What's new and changed in ColdFusion (2021 release) Update 17
ColdFusion (2021 release) Update 17 (release date, October 15, 2024) includes bug fixes and enhancements in Administrator, Language, CFSetup, Database, and other areas. The update contains library upgrades, such as Jackson-data-bind, netty, ehcache, etc.
For more details, see this article.
What's new and changed in ColdFusion (2021 release) Update 16
ColdFusion (2021 release) Update 16 (release date, September 10, 2024) resolves a critical vulnerability that could lead to the deserialization of untrusted data. View the security bulletin, APSB24-71, for more information.
For more details, see this article.
What's new and changed in ColdFusion (2021 release) Update 15
In ColdFusion (2021 release) Update 15 (release date, August 20, 2024), we’ve upgraded Tomcat from version 9.0.85 to version 9.0.93.
For more details, see this article.
What's new and changed in ColdFusion (2021 release) Update 14
ColdFusion (2021 release) Update 14 (release date, June 11, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-41.
For more details, see this article.
What's new and changed in ColdFusion (2021 release) Update 13
ColdFusion (2021 release) Update 13 (release date, 12 March, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-14.
For more details, see this article.
What's new and changed in ColdFusion (2021 release) Update 12
ColdFusion (2021 release) Update 12 (release date, November 14, 2023) addresses vulnerabilities that are mentioned in the security bulletin, APSB23-52. These updates resolve a critical vulnerability that could lead to improper access control and security feature bypass.
This update also removes the cf-logging.jar file and creates its backup in the updates folder.
For more information, see the tech note for the update.
What's new and changed in ColdFusion (2021 release) Update 11
ColdFusion (2021 release) Update 11 (release date: October 6, 2023) includes bug fixes and enhancements in Administrator, Installer, Migration, Package manager, Database, and other areas. The update contains upgrades to Tomcat (v9.0.78) and other libraries, such as jackson-databind, Netty, etc. Note that this update is cumulative and includes fixes from the previous updates.
With this update, we are upgrading the library jackson-databind from 2.9.8 to 2.15.0. This library version does not support POJO deserialization of java.time.* .The objects return NULL objects, which leads to data loss from aws dynamodb and azure service bus. See the bug fix section for more information.
If you are on Java 11.0.20 or higher, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar
From Update 12 onwards, you need not use the flag.
For more information, see the tech note for the update.
What's new and changed in ColdFusion (2021 release) Update 10
ColdFusion (2021 release) Update 10 (release date, 16 August, 2023) introduces the ColdFusion serial filter that can be used to allow or disallow Java classes or packages for the deserialization of Wddx packets.
For more information, see the tech note for the update.
What's new and changed in ColdFusion (2021 release) Update 9
What's new and changed in ColdFusion (2021 release) Update 8
What's new and changed in ColdFusion (2021 release) Update 7
What's new and changed in ColdFusion (2021 release) Update 6
ColdFusion (2021 release) Update 6 (release date, 14 March, 2023) addresses vulnerabilities that could lead to arbitrary code execution, arbitrary file system read, and memory leak.
For more information, security bulletin APSB23-25.
New jvm flags
In this update, we've disabled cfclient by default. If you need to enable it, there is a new flag to do it.
- -Dcoldfusion.cfclient.enable=true/false
Doing so will enable cfclient, but will allow only CFCs to be read. To allow other files to be read, use the flag listed below:
- -Dcoldfusion.cfclient.allowNonCfc=true/false
For more information, see the tech note for the update.
What's new and changed in ColdFusion (2021 release) Update 5
What's new and changed in ColdFusion (2021 release) Update 4
ColdFusion (2021 release) Update 4 (release date, 10 May, 2022) addresses vulnerabilities that are mentioned in the security bulletin APSB22-22.
This release also contains the following library upgrades:
- Tomcat 9.0.60
- jQuery 3.6.0
- jQuery UI 1.13.1
- Log4j 2.17.2
For more information, see the tech note for the update.
What's new and changed in ColdFusion (2021 release) Update 3
ColdFusion (2021 release) Update 3 (release date, 17 December, 2021) addresses vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046.
For more information, see the tech note for the update.
What's new and changed in ColdFusion (2021 release) Update 2
ColdFusion (2021 release) Update 2 (release date, 14 September, 2021) addresses vulnerabilities that are mentioned in the security bulletin, APSB21-75, and features the following:
- Licensing and activation changes.
- cfsetup updates.
- Bugs fixed in this release.
- Known issues in this release.
For more information, see the tech notes.
What's new and changed in ColdFusion (2021 release) Update 1
ColdFusion (2021 release) Update 1 (release date, 22 March, 2021) features the following:
- Address vulnerabilities mentioned in the document APSB21-16.
- Activation and deactivation of Virtual Core license.
- Bug fixes.
For more information, see the tech notes.