Beware you can't for now install CF updates via the CF Admin after applying Jul 2023 JVM update

Glad I wasn't the only one seeing that "Failed Signature verification" error! Thanks for the write-up and the workarounds!

Yep, to you both. Odd, indeed. But it's not clear it's an "Adobe problem". It may be, but perhaps not.

Again, time will tell if even folks in other tech stacks start reporting such "odd errors", based on this jvm change. It's just so unfortunate that the Oracle bug report for it is not public, so we really don't know what it's about.

I hope that Adobe may be able to dig into it, perhaps even getting deeper support from them as a partner (they license Oracle Java for us CF users, and I suspect they pay a pretty penny for that--something that few folks would ever consider/appreciate.)

Charlie, thanks for pulling all of this together and sharing it.

I did find what I believe is a reference to the underlying problem this change addresses at https://bugzilla.red... indicating that "A specially crafted ZIP file could cause a Java application to enter an infinite loop when extracting data from such archive".

Reading between the lines, it seems like there is something about how Adobe's update JARs are created which falls afoul of this change. Hopefully, Adobe can get that sorted and get us moving forward on a path with current and future Java updates again.

Ron thanks. I'd seen that also. But that, too, was precious little to go on, which is why I'd not mentioned it. Still, perhaps it may serve as a clue for Adobe.

Great to hear. Interesting that would lead to blank pages. BTW, folks following along should note that issue can affect those on cf2021 update 5 as well. I've been meaning to do a post about that.

Thanks for the kind regards, Chris. But no, I have no insight on when Adobe chooses to put the new versions on their site. I've reminded them directly of each of the last several updates.

We can't know if it's intentional or not that they're holding off on this one. Some may wonder if it's because of this issue that they've withheld posting this July update. But then doing that would fly in the face of their recommendation with the most recent (and all) cf security updates to "be on the latest update of the jvm supported by your cf version".

It's been quite a mess, this last month. I've hoped we'd get more clarity from them on their blog or forum, but sadly crickets since the release of the updates.

And some will notice they never seem to reply here. I've heard it's that they are not to discuss security matters informally. OK, but then give us more formally. Right now, we're left to make do otherwise.

I forgot to mention that I have added a new "update" within the last section before the conclusion, where I have listed a few of these other places/tools/projects that are tripping over this issue and offering that jvm arg as "the solution" for now.

Yep they had added it late last week. I'd forgotten to update this post. I'll do it now. And yep, sadly no warnings there, and no replies from them here or at the tracker ticket I'd opened. :-(

Vamsee, thanks. And good news/bad news on this issue.

First, perhaps you missed it but note that I had in fact updated this post already today to share that the download of cf updates from the cf admin does indeed now work, when using the new jvm--and without need of that new jvm arg. Again, thanks.

But the very bad news is that INSTALLING the cf update still does FAIL, again if one uses the new jvm. And the only way to fix it seems to be to run the install from the command line, with that new jvm arg, as discussed above (or switch to a JVM update from before July's).

So yes, it's great if you did something to fix the download. But now you really must fix whatever makes the install fail, first from the cf admin (as most will use that), then from the command line for those who prefer that (and without need of them to know to use that new jvm arg).

Otherwise I fear that there will be MANY MANY people experiencing failed updates, which will lead to very high frustration in the community and among your customers.

BTW, I also pointed out this ongoing issue on my blog entry that I posted earlier tonight on the new cf update:
https://www.carehart...

I hope you'll please reply here, there, and to the tracker ticket I'd opened about this in July, listed above. People WILL REALLY appreciate hearing that Adobe is giving attention to this matter. I certainly do.

Jarod, that's indeed the first sentence in my "Option 2 (to install)", above. And I also discuss in that same section how one COULD indeed use the JVM that came with CF.

As for your asking why anyone would be using a newer JVM from the command line, well first let's agree that Adobe tells people in each security update and security bulletin that they SHOULD update CF to use the latest JVM update (for the version of Java supported by that CF version).

And when folks run the CF update via java from the command line, they often don't think to use the JVM within CF's JRE folder. But they could, sure. And some docs even suggest they should--which is more about making sure they don't use a Java installer whose MAJOR version is older or newer than what that CF version supports at all. Again, see more in that section I point to above.

First, if they have updated the JVM that CF is configured to point to (in the CF admin "java and jvm" page, which sets the java.home in CFs' jvm.config and vice-versa), they will often choose to (or assume they should) use THAT JVM (at the command line). And that would be ok, normally.

Second (and perhaps as often), if they update that JVM using the JDK or a JRE INSTALLER (vs the zip), that will also change what is the "public jre"--what they see if they use "java -version" at the command line. And THAT could be this updated version, of course, which is why I have related the details in the post above.

But a different/related problem sometimes is that they may run, for example, the JDK or JRE installer for Java 17 for some other purpose on their machine, and not realize that that would NOT be the right java version at ALL for CF2021, which again does not currently support Java 17. (This is a separate issue from my last paragraph.)

Again I'd argue this last point is the main reason that some Adobe resources suggest you point to the JVM within the CF JRE folder, as at least that's sure you be the right MAJOR version (like a version of Java 11 for CF2021), even if not anywhere near the latest MINOR version (CF2021's first installer came with 11.0.1--a mistake, I would argue, which is now 5 years old--and put THAT in the CF2021 JRE folder).

My point in this post is simply to point out the conflict between the July 2023 Java updates and using that to install CF updates--whether in the CF Admin or at the command line. And then I offer alternatives and/or workarounds. Folks are free to choose.

Some might wish I offered just the "tell me what to do" answer, but clearly that's not how I roll. I realize that there can be different factors influencing how people have things setup. I instead prefer to give the details people need to try to make the right decision for themselves.

And to be clear, I can imagine scenarios where "just using the JRE in CF" to do a manual install MAY not be the "right" solution, such as when there's that large disparity I just discussed, if CF2021's JRE is that very old Java 11.0.1. There may come a time when using THAT to do a CF update may fail for a different reason. There are CERTAINLY reasons that keeping CF2021 itself USING that old JVM can be a problem.

If this stuff was easy, I'd not need to be writing about it. :-)

Hey Charlie,

Great work as always! I want to piggy back on the last comment from Steve. ColdFusion 2021 update 12 was having issues installing for me. It would succeed with a bunch of fatal errors related to file copy failures. I know you have another post about that, and I always usd the manual method for updating CF with litle to no issues. nyway, I tried the install with the extra java argument and it worked, so this still seems to be an issue with CF and java(version 11.0.21).

I have a newly installed instance of ColdFusion 2023. I have been trying to patch it with the Update 7 with no luck. I am running the command java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar C:\ColdFusion2021\bundles\updateinstallers\hotfix-009-330148.jar
This does start the install, and it completes successfully, but with errors. There are 70 fatal errors, all similar to this: Failed to copy hotfix files:C:\Users\lmarsh_adm\189700.tmp\dist\cfusion\..\config\cfsetup\cfsetup.bat: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.
I have stopped all CF services in the task manager. Not sure what to do at this point?

Lee, thanks for the update and the attempt to help readers. FWIW, my discussion of using the jvm arg ("Option 1", above) DOES indeed indicate "Windows users should be sure to use "run as admin" in opening the command line)."

But I suspect you may have seen the FIRST mention of the JVM arg near the top, and so perhaps never read the rest. I understand that. There's always a balancing act between offering a TLDR; portion at the top and the detail to follow.

So in response, and to help future readers, I have added a new link to where I'd said "I discuss that below", after showing the jvm arg the first time, and it jumps you to the "option 1" discussion.

Finally, while I had done a more updated post 3 months later, I didn't update this post to point to it--even though I mentioned it in the comments here at the time. So I have just tweaked the top of the post here to point people to that, which should reduce even further the chances of folks tripping over what we're discussing. :-)

I'm always open to feedback, so again thanks.