Adobe has released security updates for ColdFusion versions 2016 and 2018. These updates resolve multiple critical vulnerabilities that could lead to arbitrary code execution. This is important. It’s a pretty big security flaw that could result in an attacker being able to take over your server.
The information regarding the hot fix is located here. However, one of the most important aspects of installing this update is not obvious on this page;
You have to, have to, HAVE TO reinstall the ColdFusion Web Server connector by running the wsconfig.exe (Windows) or wsconfig (*nix) programs that ship with ColdFusion. If you don’t, the connector information won’t be updated with the “secret” attribute of the JVM and requests will error with a 503 response.
On occasion, you may run the wsconfig utility and rebuild the web server connector, and it still doesn’t work. The wsconfig utility will respond as if everything was successful, but sites will still not be processed through the ColdFusion engine. If you’ve run into this situation, you need to rebuild the connector manually. This is a pretty simple process for an experienced CF Developer, but just in case you’ve never been in this situation before, here are the steps:
- Remove the existing connector using the wsconfig utility.
- Stop the web server. (IIS, Apache, nginx, etc.)
- Delete the connector from the cfinstall/config folder.
- Rebuild the connector using the wsconfig tool.