Adobe ColdFusion (2023 release) Updates Release Notes

ColdFusion (2023 release) Update 12 (release date, December 20, 2024) resolves a critical vulnerability that could lead to arbitrary file system read.

View the security bulletin, APSB24-107, for more information.

For more details, see this tech note.

ColdFusion (2023 release) Update 11 (release date, October 15, 2024)  includes bug fixes and enhancements in Administrator, Language, CFSetup, Database, and other areas. The update also contains library upgrades, such as Jackson-data-bind, netty, ehcache, etc.

For more details, see this tech note.

ColdFusion (2023 release) Update 10 (release date, September 10, 2024) resolves a critical vulnerability that could lead to the deserialization of untrusted data. View the security bulletin, APSB24-71, for more information.

For more details, see this tech note.

In ColdFusion (2023 release) Update 9 (release date, August 20, 2024), we’ve upgraded Tomcat from version 9.0.85 to version 9.0.93.

For more details, see this tech note.

ColdFusion (2023 release) Update 8 (release date, June 11, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-41.

For more details, see this tech note.

ColdFusion (2023 release) Update 7 (release date, 12 March, 2024) addresses vulnerabilities mentioned in the security bulletin, APSB24-14.

For more details, see this tech note.

ColdFusion (2023 release) Update 6 (release date, November 14, 2023) addresses vulnerabilities that are mentioned in the security bulletin, APSB23-52. These updates resolve a critical vulnerability that could lead to improper access control and security feature bypass.

For more details, see this tech note.

ColdFusion (2023 release) Update 5 (release date: October 6, 2023) includes bug fixes and enhancements in Administrator, Installer, Migration, Package manager, Database, and other areas. The update contains upgrades to Tomcat (v9.0.78) and other libraries, such as jackson-databind, Netty, etc. Note that this update is cumulative and includes fixes from the previous updates.

With this update, we are upgrading the library jackson-databind from 2.9.8 to 2.15.0. This library version does not support POJO deserialization of java.time.* .The objects return NULL objects, which leads to data loss from aws dynamodb and azure service bus. See the bug fix section for more information.

For more information, see the tech note.

ColdFusion (2023 release) Update 4 (release date, 16 August, 2023) introduces the ColdFusion serial filter that can be used to allow or disallow Java classes or packages for the deserialization of Wddx packets.

For more information, see the tech note.

ColdFusion (2023 release) Update 3 (release date, 19 July, 2023) addresses vulnerabilities that are mentioned in the security bulletin, APSB23-47. These updates resolve a critical vulnerability that could lead to improper access control and security feature bypass.

For more information, see the tech note.

ColdFusion (2023 release) Update 2 (release date, 14 July, 2023) addresses vulnerabilities  that could lead to arbitrary code execution.

For more information, security bulletin APSB23-41.

For more information, see the tech note.

ColdFusion (2023 release) Update 1 (release date, 11 July, 2023) addresses vulnerabilities  that could lead to arbitrary code execution and security feature bypass.

For more information, security bulletin APSB23-40.

For more information, see the tech note.