ColdFusion (2021 release) Update 6

ColdFusion (2021 release) Update 6

What's new and changed


The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.

To install previous updates, see ColdFusion (2021 release) updates.

ColdFusion (2021 release) Update 6 (release date, 14 March, 2023) addresses vulnerabilities that could lead to arbitrary code execution, arbitrary file system read, and memory leak.

For more information, security bulletin APSB23-25.

New jvm flags

In this update, we've disabled cfclient by default. If you need to enable it, there is a new flag to do it.

  • -Dcoldfusion.cfclient.enable=true/false

Doing so will enable cfclient, but will allow only CFCs to be read. To allow other files to be read, use the flag listed below:

  • -Dcoldfusion.cfclient.allowNonCfc=true/false


  1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.


ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated with the latest update.

All installed packages that needs an update get updated.

Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

  1. Download the hotfix installer from the link.
  2. Unzip the repository to a place where it can be accessed by all ColdFusion server instances.
  3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

  • Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-006-330132.jar
  • Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-006-330132.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account that has permission to restart ColdFusion services and other configured webservers .

For further details on how to manually update the application, see the help article.


Updating the core package updates all the packages that were downloaded. Also, updating any package updates the core and rest of the packages. If ColdFusion (2021 release) is on Update 1, installing Update 6 via the admin of any instance updates the core for all other instances present.

Similarly, uninstalling the update from the same instance uninstalls the updates from instances that were updated together.


If you've created a mapping of the cf_scripts folder, you must copy the contents of the downloaded zip into CF_SCRIPTS/scrips/ajax folder to download the ajax package.

Post installation


After applying this update, the ColdFusion build number should be 2021.0.06.330132.

After applying this update, you must reinstall any custom hotfixes that might have been applied earlier. The hotfixes are located in the folder /ColdFusion2021/cfusion/hf-updates/hf-2021-00006-330132


To uninstall the update, perform one of the following:

  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00006-330132/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00006-330132}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

2021 Update Connector recreation required
Update 6 No
Update 5 No
Update 4 No
Update 3 No. You need not upgrade the connector if you had already upgraded the connector in Update 2.
Update 2 Yes
Update 1 Yes


Получайте помощь быстрее и проще

Новый пользователь?

Adobe MAX 2024

Adobe MAX
— творческая конференция

С 14 по 16 октября очно в Майами-Бич и онлайн

Adobe MAX

Творческая конференция

С 14 по 16 октября очно в Майами-Бич и онлайн

Adobe MAX 2024

Adobe MAX
— творческая конференция

С 14 по 16 октября очно в Майами-Бич и онлайн

Adobe MAX

Творческая конференция

С 14 по 16 октября очно в Майами-Бич и онлайн