Data Bank - Home
June 25, 2019

DataBank Security Bulletin: Adobe ColdFusion Vulnerability

Adobe ColdFusion Vulnerability – CVE-2019-7838, CVE-2019-7839, CVE-2019-7840/ APSB19-27

On June 11, 2019, Adobe released patches for ColdFusion 11, ColdFusion 2016, and ColdFusion 2018 that addresses a critical vulnerability in these versions that allow for arbitrary code execution. More information can be can found at the following link:

Adobe has labeled this patch as a priority 2 patch.


Is my server affected?

If your server is running ColdFusion 2018, ColdFusion 2016, or ColdFusion 11, your server may be affected.  To check, log in to your ColdFusion admin for each instance and navigate to Server Update > Updates.  From there, click Check for Updates and check your version against the affected version table below: 


ProductAffected VersionsPlatform
ColdFusion 2018Update 3 and earlier versionsAll
ColdFusion 2016Update 10 and earlier versionsAll
ColdFusion 11Update 18 and earlier versionsAll


My server is affected.  What needs to be done to mitigate the vulnerability?

First, it is recommended to read the release notes as ColdFusion will need to be running a specific version of Java for the patch to work properly.  If Java is not updated and the patch listed above is run, your server is NOT protected.  Java patching is a prerequisite to the patch. The security updates require JDK 8u121 or higher (for ColdFusion 2016) and JDK 7u131 or JDK 8u121 (for ColdFusion 11).

Once Java has been updated, navigate into each ColdFusion instance and log in.  Click Server Update > Updates.  From there, click Check for Updates and apply the update.  This will require a ColdFusion restart.  Once done, confirm that the version of ColdFusion is updated to the version listed in the below table:

ProductUpdated VersionPlatformPriority ratingAvailability
ColdFusion 2018Update 4All2Tech note
ColdFusion 2016Update 11All2Tech note
ColdFusion 11Update 19All2Tech note


What if I need help applying the update? 

DataBank has partnered with CF Webtools, an Adobe partner to help with these ColdFusion and Java updates.  CF Webtools can be reached by phone at 402.932.3386 or by sending an email to [email protected].

For Databank customers that have subscribed to 24/7 ColdFusion Support, DataBank will honor these obligations through the CF Webtools partnership. You should expect a ticket from DataBank in the coming days requesting permission to proceed with the update, including timing. You may opt out of the update when the ticket arrives.

For those customers that have not subscribed to 24/7 ColdFusion Support from DataBank, you may contact CF Webtools directly for assistance with updates. CFWebtools will guide you through their process, including making arrangements for payment directly with CF Webtools.