Whatever message this page gives is out now! Go check it out!

ColdFusion (2021 release) Update 18

Last update:
May 18, 2026
ColdFusion (2021 release) Update 18

Security recommendations

For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guides.
Warning:
Check if you need to create and configure connectors after installing the update. View the section Connector Configuration Table for more information.
Note:
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must take note of any changes that are implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2021 release) updates.

What's new and changed

ColdFusion (2021 release) Update 18 (release date, December 23, 2024) resolves a critical vulnerability that could lead to arbitrary file system read, if the pmtagent package is installed on your ColdFusion server.
View the security bulletin, APSB24-107, for more information.
Important:
If you are using Performance Monitoring Toolset (PMT), make sure the PMT server is up and running while applying the ColdFusion update.

Frequently asked questions about the update

While installing the current update, does PMT need to be up and running?
If ColdFusion is configured with PMT, and PMT is not running while installing the update, this could impact the communication between CF and PMT. So yes, PMT needs to be up and running.
However, if you DO NOT have PMT running, apply the update directly.
What should I do if my PMT was down during when installing the update and the communication fails after the update?
If this happens, start your PMT Server, and restart your ColdFusion server. This should resolve the issue
I am using the GUI installation and pmtagent package is installed by default and I am not using it for monitoring. Am I impacted and do I need to apply the update?
Yes. If pmtagent is installed and I am not using the PMT for monitoring, we strongly recommend you to apply the update.
I am using the GUI installation and I have uninstalled pmtagent package. Am I impacted?
No. There is no impact.
I am using AMI. Am I impacted?
Yes. By default, there is an impact. You may, however, uninstall the pmtagent package, if the package isn't used actively.
If it's used, we strongly recommend you to apply the update.
I am using the zip installation and I have not installed pmtagent. Am I imapcted?
No. There is no impact.
I am using the zip installation and I have installed pmtagent. Am I imapcted?
Yes. There is an impact.
Warning:
The UUID in the next two sections refers to the uuid used for communication between CF and PMT.

Reset UUID

After applying the update, your UUID will be reset. However, if you want to reset the ID on every ColdFusion restart for security reasons, follow the steps:
  1. Add the jvm flag -Dcoldfusion.monitoring.id.reset=true.
  2. Restart ColdFusion.

ColdFusion JDK flag requirements

COLDFUSION 2021 (version 2021.0.0.323925) and above

For Application Servers  
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.
For example:
  • Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
  • WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
  • WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.

Known issue

  • When Update 12 of ColdFusion (2023 release) or Update 18 of ColdFusion (2021 release) is installed on JEE deployments, an error message might appear in certain cases upon attempting to view the Settings Summary page in ColdFusion Administrator.

Prerequisites

  1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
  2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
    • http.proxyHost
    • http.proxyPort
    • http.proxyUser
    • http.proxyPassword
  3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package gets updated with the latest update.
All installed packages that needs an update get updated.
Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

  1. Download the hotfix installer from the link.
  2. Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
  3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
  • Windows:<cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-018-330341.jar
  • Linux-based platforms:<cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-018-330341.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account with permission to restart ColdFusion services and other configured webservers.
For further details on manually updating the application, see the help article.
Note:
If you are on Java 11.0.20 or higher and want to apply the Hotfix, use the flag java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar.
However, if you are applying the update from the Administrator, you do not require any flag.

Post installation

Note:
After applying this update, the ColdFusion build number should be 2021.0.18.330341

Uninstallation

To uninstall the update, perform one of the following:
  • In ColdFusion Administrator, click Uninstall in Server Update Updates Installed Updates.
  • Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00018-330341/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
  1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
  2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00018-330341}/backup directory to {cf_install_home}/{instance_name}/

Connector configuration

2021 UpdateConnector recreation required
Update 18
No
However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information.
Update 17
No
However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information.
Update 16
No
However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information.
Update 15
No
However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information.
Update 14
No
However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information.
Update 13
No
However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information.
Update 12
No
However, if upgrading from Update 10 or any previous update, you must recreate the connector.
View the following for more information.
Update 11Yes
Update 10No
Update 9No
Update 8No
Update 7No
Update 6No
Update 5No
Update 4No
Update 3No. You need not upgrade the connector if you have already upgraded the connector in Update 2.
Update 2Yes
Update 1Yes

Packages updated

UpdatePackages updated
Update 18
Yes
The pmtagent package is updated.
Update 17Yes
Update 16No
Update 15No
Update 14Yes
Update 13Yes
Update 12No
Update 11Yes
Update 10No
Update 9No
Update 8No
Update 7No
Update 6Yes
Update 5Yes
Update 4Yes
Update 3Yes
Update 2Yes
Update 1Yes

Share this page

Was this page helpful?
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Thank you for your feedback. Your response will help improve this page.

On this page