Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN039
_____________________________________________________________________

DATE                : 15/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Adobe ColdFusion versions prior to
                            2025 Update 6, 2023 Update 18.

=====================================================================
https://helpx.adobe.com/security/products/coldfusion/apsb26-12.html
_____________________________________________________________________



Last updated on Jan 13, 2026

Security updates available for Adobe ColdFusion | APSB26-12

Bulletin ID       Date Published            Priority
APSB26-12         January 13, 2026          1

Summary

Adobe has released security updates for ColdFusion versions 2025 and 
2023. These dependency update resolves a critical vulnerability that
could lead to arbitrary code execution.


Affected Versions

Product               Update number                   Platform

ColdFusion 2025      Update 5 and earlier versions    All

ColdFusion 2023      Update 17 and earlier versions   All


Solution

Adobe categorizes these updates with the following priority rating and 
recommends users update their installations to the newest versions:

Product    Updated Version   Platform    Priority rating   Availability

ColdFusion 2025    Update 6   All     1            Tech Note

ColdFusion 2023    Update 18  All     1            Tech Note

Note

For security reasons, we strongly recommend to use latest mysql java 
connector. For more information on its usage, please  refer to: 
https://helpx.adobe.com/coldfusion/kb/coldfusion-configuring-mysql-jdbc.html

 See the updated serial filter documentation for more details on 
protection against insecure deserialization attacks: 
https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html


Update to dependencies

CVE Number    Dependency     Vulnerability Impact     Affected Versions

CVE-2025-66516    Apache Tika     Arbitrary code execution
Update 5 and earlier
Update 17 and earlier

For more information, please see: 
https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k


Note

Adobe recommends updating your ColdFusion JDK/JRE LTS version to the 
latest update release as a secure practice. The ColdFusion downloads 
page is regularly updated to include the latest Java installers for 
the JDK version your installation supports as per the matrices below. 

    ColdFusion 2025 support matrix 
    ColdFusion 2023 support matrix

For instructions on how to use an external JDK, view Change ColdFusion 
JVM. 

Adobe also recommends applying the security configuration 
settings included in the ColdFusion Security documentation as 
well as review the respective Lockdown guides.    

    ColdFusion 2025 Lockdown Guide
    ColdFusion 2023 Lockdown Guide


ColdFusion JDK Requirement

COLDFUSION 2025 (version 2023.0.0.331385) and above
For Application Servers

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= 
!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.*
*;!org.jgroups.**;!com.sun.rowset.**; 
!com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**; 
" in the respective startup file depending on the type of 
Application Server being used.

For example:

Apache Tomcat Application Server: edit JAVA_OPTS in the 
‘Catalina.bat/sh’ file

WebLogic Application Server: edit JAVA_OPTIONS in the 
‘startWeblogic.cmd’ file

WildFly/EAP Application Server: edit JAVA_OPTS in the 
‘standalone.conf’ file

Set the JVM flags on a JEE installation of ColdFusion, not on a 
standalone installation.
 

COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers

On JEE installations, set the following JVM flag, “-Djdk.serialFilter= 
!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.*
*;!org.jgroups.**;!com.sun.rowset.**; 
!com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;"
 in the respective startup file depending on the type of 
Application Server being used.

For example:

Apache Tomcat Application Server: edit JAVA_OPTS in the 
‘Catalina.bat/sh’ file

WebLogic Application Server: edit JAVA_OPTIONS in the 
‘startWeblogic.cmd’ file

WildFly/EAP Application Server: edit JAVA_OPTS in the 
‘standalone.conf’ file

Set the JVM flags on a JEE installation of ColdFusion, not on a 
standalone installation.

For more information, visit https://helpx.adobe.com/security.html ,
or email PSIRT@adobe.com 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================