If you're considering or have already implemented the latest CF updates from June 2024 (CF2023 update 8 and CF2021 update 14), you might have struggled a bit to understand completely what Adobe was getting at in the update technotes, as they can sometimes be rather terse in covering some points (worse, some folks don't even read the technotes before applying the updates). Briefly, a key aspect of the update changes the default algorithm that CF uses--for code that does not specify one, in several CF functions, related to encryption, hashing, or randomization.

As another case where Adobe is opting to sacrifice compatibility for security, the update changes from using the very old default of CFMX_COMPAT (as the default) to using either of a couple different alternatives, depending on the function. And if you're not careful/paying attention, you could break some critical part of your app by applying this update.

TLDR; In this post, I want to share a bit more to help you understand the impact of this update (which I blogged about in June), whether you're a developer or an administrator--and whether you've applied or not yet applied the update. Even if you HAVE done it and "all seems well" (in test or even in prod), do beware there may be nasty problems waiting to bite you that could take time to crop up. I'll explain the issues, and help you find the code using these functions, then help you determine if that code is or IS NOT affected by this change. I'll also discuss some real-world scenarios and challenges, with solutions.

Finally, I'll explain an available JVM arg (-Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE) that can be used to revert this behavior, for those who may feel they need to sacrifice security for compatibility, so as to get to this June update and take their time to address this change in the encryption default. I also explain how the CFMX_COMPAT algorithm DOES still remain available as an option, despite what some have asserted, which may be an acceptable option to use. Then I wrap up with some thoughts on how it may not be so bad that I'm only getting this post out a few weeks after the June update.

For more, read on.

[....Continue Reading....]

Don't miss that Adobe had added a useful feature (a "patch", made available in Apr 2024) to help in identifying any CFML code you may have which refers "implicitly" to scopes that would no longer searched (for any variables without a scope prefix), which is the new default behavior for CF2021, CF2023 and beyond as of the March 2024 updates (updates 13 and 7, respectively).

TLDR; (more on each of these points, in the rest of this post)

• For more on the update and the change regarding searchimplicitscopes, see my blog post on the March update
• By following the simple couple of steps (including downloading a needed "patch" as discussed and linked to below), CF will start logging (to a new unscoped.log) whenever code is run that would access an unscoped variable when that would cause CF to implicitly search through scopes (external to the request) which it would no longer search if "searchimplicitscopes" was false. (To be clear, the new logging only works if searchimplicitscopes is true, otherwise such searching would fail if searchimplicitscopes is false, as is the new default as of the March 2024 updates)
• The "patch" is a jar which you must manually obtain and put into place--it is NOT included with the March 2024 CF update, or any others. The steps are very simple, discussed below or in an Adobe technote that was released in the weeks after the March updates, with the title: View unscoped variables in a log file
• Note that this patch is also NOT included in the June 2024 CF updates, CF2021 update 14 and CF2023 update 8
• Further, beware that if you DO apply any update to CF after applying this patch, that update will REMOVE this "patch" (and any jars in the lib/updates folder which is referred to in the technote). Therefore, you would need to put the jar BACK in manually after any such CF update, for it to continue doing its logging
• Finally, FWIW, note that you can even leverage this patch in the CF two updates PRIOR to the March 2024 updates which introduced the change in the default for searchimplicitscopes, so updates 5/6 and 11/12, respectively. That means someone could also use this patch to test BEFORE moving to either the March 2024 updates or later

Again, more on each of these points below. But for some, the news and the link to the technote (and my couple of tips above) may be all they feel they need to hear. For others, I think more perspective may help, so read on for that.

[....Continue Reading....]

It's that time again: there are new JVM updates released today (Jul 16, 2024) for the current long-term support (LTS) releases of Oracle Java, 8, 11, 17, and 21, as well as the new short-term release 22.

TLDR: The new updates are 1.8.0_421 (aka 8u421), 11.0.24, 17.0.12, 21.0.4, and 22.0.2 respectively. Crazy that there are now 5 current Java releases, I realize. More below, including more on each of them including what changed as well as bug fixes and the security fixes each version contains (including their CVE scores regarding urgency of concerns), which are offered in Oracle resources I list below.

Oracle calls these updates "critical patch updates" (yep, "CPU"), but they are in fact scheduled quarterly updates, so that the "critical" aspect of this nomenclature may sometimes be a bit overstated. As is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

Here's great news for those still running CF2018 or earlier, who may have been holding off upgrading to CF2023 because you would have to pay full price.

TLDR; Now through Sep 30, 2024 Feb 28, 2025 those running CF9, 10, 11, 2016 or 2018 can upgrade to CF2023 for 25% off its full price. (Those running CF2021 can already/always could upgrade at 50% off the full price.) See their form to request the discount at https://fusion-reactor.com/blog/news/save-25-on-adobe-cf2023-upgrades/.

For more, read on.

[....Continue Reading....]