ColdFusion Muse

ColdFusion Bug Introduced In Newest Update

Wil Genovese February 13, 2019 7:27 PM ColdFusion, Coldfusion Security Comments (3)

UPDATE: Adobe has released updates for the last update.
  • ColdFusion 11 Update 17 was released that supersedes Update 16.
  • ColdFusion 2016 Update 9 that supersedes Update 8.
Many of us have been testing these new updates including myself and so far they look good. We have not heard any news on any additional updates for ColdFusion 2018

alert everyone that there is a critical bug that was introduced with yesterdays updates for ColdFusion 2018, ColdFusion 2016, and ColdFusion 11. Adobe is very actively working on a resolution. The bug is simply this, in cfscript queryExecute() is broken. This is the bug report.

Here is an example of what is no longer working. Example one is a cfscript based CFC file.

component output="false"
    public query function getRoles() {
        var userRoles ='';
        var sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
        userRoles = queryExecute(sql);
        return userRoles;

Example two is a cfscript block in a CFML file.

userRoles = '';
sql = "SELECT roleId, roleName FROM userRole ORDER BY roleID";
userRoles = queryExecute(sql);


The code causes a Java error at the queryExecute() statement. Many of us are working with Adobe to provide test cases, stack traces, and testing hot fixes in order to get this resolved as fast as possible. Until there is a fix, if your application is using cfscript based queries, you will want to hold off on the update.

CF Webtools Developer Teams are ColdFusion experts and are ready to build your applications. We are also an Amazon Partner. Our Operations Group can build, manage, and maintain your AWS services including ColdFusion servers. We also handle migration of physical servers into AWS Cloud services. If you are looking for professional AWS management our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at CF Webtools .

  • Share:


  • Wil Genovese's Gravatar
    Posted By
    Wil Genovese | 2/14/19 1:59 PM
    The Adobe ColdFusion team has a Hot Fix for this issue. They are trying to figure out how/if to release the fix? Confusing to me. If you are in a critical spot with this contact
  • Wil Genovese's Gravatar
    Posted By
    Wil Genovese | 2/14/19 2:19 PM
    If this bug wasn't enough, a second bug was found as well. The official update DELETES your ColdFusion scheduled tasks. See this bug report.
  • Wil Genovese's Gravatar
    Posted By
    Wil Genovese | 2/14/19 2:41 PM
    There are way too many bugs this update. So many that I have to recommend DO NOT apply this update to any ColdFusion 11, ColdFusion 2016, or ColdFusion 2018 servers. The honorable Pete Freitag has an additional post covering all the issues found so far.