Adobe ColdFusion (2021 release) Updates Release Notes

ColdFusion (2021 release) Update 10 (release date, 16 August, 2023) introduces the ColdFusion serial filter that can be used to allow or disallow Java classes or packages for the deserialization of Wddx packets.

For more information, see the tech note for the update.

ColdFusion (2021 release) Update 9 (release date, 19 July, 2023) resolves critical vulnerabilities that could lead to improper access control and security feature bypass.

For more information, see the security bulletin APSB23-47.

For more information, see the tech note for the update.

ColdFusion (2021 release) Update 8 (release date, 14 July, 2023) addresses vulnerabilities that could lead to arbitrary code execution.

For more information, security bulletin APSB23-41.

For more information, see the tech note for the update.

ColdFusion (2021 release) Update 7 (release date, 11 July, 2023) addresses vulnerabilities that could lead to arbitrary code execution and security feature bypass.

For more information, security bulletin APSB23-40.

For more information, see the tech note for the update.

ColdFusion (2021 release) Update 6 (release date, 14 March, 2023) addresses vulnerabilities that could lead to arbitrary code execution, arbitrary file system read, and memory leak.

For more information, security bulletin APSB23-25.

New jvm flags

In this update, we've disabled cfclient by default. If you need to enable it, there is a new flag to do it.

• -Dcoldfusion.cfclient.enable=true/false
  

Doing so will enable cfclient, but will allow only CFCs to be read. To allow other files to be read, use the flag listed below:

• -Dcoldfusion.cfclient.allowNonCfc=true/false

For more information, see the tech note for the update.

ColdFusion (2021 release) Update 5 (release date, 11 October 2022) addresses vulnerabilities that are mentioned in the security bulletin APSB22-44.

This release also includes support for macOS M1 and macOS 12 (Monterey).

For more information, see the tech note for the update.

ColdFusion (2021 release) Update 4 (release date, 10 May, 2022) addresses vulnerabilities that are mentioned in the security bulletin APSB22-22.

This release also contains the following library upgrades:

• Tomcat 9.0.60
• jQuery 3.6.0
• jQuery UI 1.13.1
• Log4j 2.17.2

For more information, see the tech note for the update.

ColdFusion (2021 release) Update 3 (release date, 17 December, 2021) addresses vulnerabilities that are mentioned in CVE-2021-44228 and CVE-2021-45046.

For more information, see the tech note for the update.

ColdFusion (2021 release) Update 2 (release date, 14 September, 2021) addresses vulnerabilities that are mentioned in the security bulletin, APSB21-75, and features the following:

• Licensing and activation changes.
• cfsetup updates.
  
• Bugs fixed in this release.
• Known issues in this release.

For more information, see the tech notes.

ColdFusion (2021 release) Update 1 (release date, 22 March, 2021) features the following:

• Address vulnerabilities mentioned in the document APSB21-16.
• Activation and deactivation of Virtual Core license.
  
• Bug fixes.

For more information, see the tech notes.