An update for ColdFusion has been released yesterday for both cf2023 (as update 11) and cf2021 (as update 17). In brief, the update has no security fixes, but it does fix dozens of issues that folks have stumbled over recently. It also upgrades some "OEM" libraries underlying CF, and it offers some modest enhancements.

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes introduced in those updates from March and June of this year.

For more details, read on.

First, apologies to my readers for getting this out just after midnight the day of the release: it turned out Adobe dropped this on the very same day that there was a Java update released. I blogged about that update earlier today. But it takes time for me to assess these updates (reading about them, trying them, seeing if others might have complained of issues), and then finally writing up these posts.

Next, besides simply announcing the update, of course I like to help both with links to additional resources for more information, and I also like to draw out some points that might be missed in those resources, or any issues that I have experienced on my own or heard about from others. (So far, this update seems to have gone smoothly--at least if you were on the immediately previous one. As I will discuss below, if you're coming from previous ones, there ARE issues to be aware of.)

Here are the topic areas covered below:

• Finding (and finding more about) the update
• What's changed in the update?
• Many improvements, couched as "bugs fixed"
• "Known issue"/recommended post-update step(s)
• What to consider, with regard to the 4 previous CF updates (possible breaking changes)
• As with all CF updates, possible need to upgrade web server connector
• Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
• On getting help with the update(s)

Finding (and finding more about) the update

While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically: NOW LIVE! Adobe ColdFusion 2023 and 2021 October 2024 updates.

And that points to the (very important) technote for each version's update:

• ColdFusion (2023 release) Update 11
• ColdFusion (2021 release) Update 17

Of course, you should read those to learn more, but I elaborate on key things below. (And I can report I installed both updates without incident.)

What's changed in the update?

Again, if you read the technotes above, they discuss what's changed. I'd like to present the points with a little more context and indeed in a different order than Adobe lists them:

• "OEM" library updates (and removals): Adobe has updated some of the Java libraries which underlie CF, which they refer to in the technote as "OEM upgrades". These include updates to ehcache, the included postgresql driver, quartz (which manages scheduled tasks), solr, and more.) Usually these changes won't matter or be noticeable, but if it interests you, see the details/version numbers in the technotes. They also list some libraries that have been REMOVED, because they were "older, outdated, and vulnerable versions that had already been updated in earlier releases".
• cfsetup support of client vars: The release notes goes on in some detail to discuss the many ways that the cfsetup tool (new in CF2021, but missed by many) can now be used to manage client variable configuration from the command line and/or json config--just like the tool has long been able to manage nearly ALL CF admin settings. For more on CFSETUP, see a talk I gave on the topic
• whitespace management: The release notes ALSO elaborate a surprising bit about a change which is really only of importance, it seems, to those who run CF on JEE/J2EE servers, where CF has been deployed as an EAR or WAR file. In those cases, previous versions of CF didn't allow configuration of the "whitespace management" feature. This update fixes that. Yay, but it really is of no consequence for most CF shops, I suspect.

And though the technote doesn't mention it, the update will also incorporate more than a couple dozen "package" updates, at least assuming you have those packages installed. (To be clear, if you install CF using the full installer, it defaults to you having ALL packages; whereas if you install CF via the zip approach, it defaults to having virtually NO packages--and you are asked in the post-zip cfinstall process what packages you want to enable. Or you can install/uninstall them via the CF Admin UI or the cfpm command line tool.)

Many improvements, couched as "bugs fixed"

Some may see that list and shrug, feeling, "there's not much there, there". Au contraire mon frère. :-) You may notice a brief sentence where they mention changes regarding "Administrator, Language, CFSetup, Database, and other areas".

These and many more (over 3 dozen) are referring to bugs fixed in this release. Often we may not give much heed to the list, but this is not only a LOT of bug fixes, but many fix problems that have plagued folks for a while. There are 37 for CF2023 and 40 for CF2021! Among some of the more interesting ones (again, not in the order Adobe lists them) include:

• a fix to a nasty problem of threads growing excessively when using cfsearch under load
• a fix to a nasty problem where the coldfusion-out.log didn't update/rotate as expected
• a fix to a problem where CFFTP didn't work for sFTP, such as for connections using newer OpenSSH key algorithms like Ed25519
• a fix to a problem where registering REST services (at the application-level) would fail
• a fix to a problem where CFReport would fail
• a fix to a problem where the "cfpm scan" command failed, reporting "path not found", when the path (holding your CFML code to scan for package requirements) DID exist
• a fix to being unable to add or change scheduled tasks from Firefox
• a fix where where cfhtmltopdf orientation="landscape" was ignored, on CF2023 (only, it seems)
• a fix to a problem where some were unable to resize an image using the CFImage tag, on CF2021 (only, it seems)
• some improvements regarding cfpm command processing
• a fix regarding some language and other exception-related errors
• a fix to some scheduled task errors
• a fix to a query of query sort problem
• a fix to a problem regarding use of Oracle databases if updates to v19.24
• a fix regarding MySQL reading "zerodatetimes"
• and still more

Again, see the technote for either CF2023 or 2021 (whichever you are using) for even more bugs fixed. Note also that sometimes the wording of items in the "bugs fixed" list is a little awkward--sometimes worded in how the problem DID exist (before being fixed), or even offering a workaround needed BEFORE the bug was fixed (as in the case of the CFFTP/sftp issue above.)

"Known issue"/recommended post-update step(s)

There are 3 issues discussed in a "known issues" section toward the end of the technotes, which is pointed to early in the technote to highlight a couple of important things:

• "The PDF Services page in ColdFusion Administrator does not load even with the HTMLToPDF package installed. As a workaround, clear the Felix cache (/cfusion/bin/felix-cache)." In other words, you will find that the CF Admin "PDF Services" page will report that the HTMLtoPDF package is not installed--even though the "Package Manager" page shows that it is installed. You will also find an error in the exception log indicating the same problem. It can be resolved, they note, by literally deleting that cfusion/bin/felix-cache folder, or by using the "cfpm purgecache" command--either of which should be done while CF is stopped. (And if you have more instances than just the cfusion one, you should do this in EACH instance.)
• "The Oracle DataSource verification fails after installing the latest update. As a workaround, clear the Felix cache, and restart ColdFusion." (See my last comment, for more on clearing the felix-cache.)
• "An exception occurs when indexing Open Document Format files, such as those with a .odt extension." They offer nothing more than that sentence.

I could stop at this point, as that's all you need to know about THIS update. And if you may be moving to this update from the one right before it (CF2023 update 10 or CF2021 update 16), then you can skip to the "JDK flag" discussion below and the concluding section.

Otherwise, if you may be skipping to this update from an earlier one, consider what follows.

What to consider, with regard to the 4 previous CF updates (possible breaking changes)

This has been quite a year for CF updates. There was one in March, then June, then August and September, and now this in October (they were CF2023 updates 7, 8, 9, 10 and now 11, and CF2021 updates 13, 14, 15, 16, and now 17.) The updates from March and June introduced potential breaking changes. Then as for August's CF2021 update 15, that had a bug in its update mechanism, which will matter if you DID apply that update before this one. Let me elaborate a bit on these.

So first, if you are jumping to this update from CF2023 update 6 or earlier, or CF2021 update 12 or earlier (or even CF2023 update 7 or CF2021 update 13), or if you just installed CF (and have no updates and are jumping to this as "the latest available update"), it's important that you be aware of the changes introduced in those March and June updates. I have 4 posts on that. Sorry it's a lot of info, but I am trying to help you make the best decisions:

• Announcing ColdFusion updates released Mar 12 2024, possible breaking change, solutions
• Announcing ColdFusion updates released June 11 2024: another possible breaking change
• Follow-up on March 2024 CF update: "patch" to log "implicit scope searches" that would fail
• Follow-up on June 2024 CF update: more on change of default algorithm from CFMX_COMPAT

Note as well that as for the "patch" discussed in the post in the 3rd bullet (to help with LOGGING the scopesearch problem), I discuss there how if you apply a later CF update, the patch is removed and you need to add it back. You will need to do that after applying this update.

Then second, if you are on CF2021 specifically and you might have installed update 15 (only) before applying this update 17 (you don't need to do that, but some may), then you will likely run into the issue I discuss in this other post, where I also offer the simple solution, Follow-up on CF 2021 update 15: understanding, solving packages unexpectedly removed. Note that you can apply the same solution now, if you applied update 16 or later and never even noticed the problem that happened after update 15.

As with all CF updates, possible need to upgrade web server connector

Don't miss also that if you may be applying this CF update by skipping over others, you MAY need to upgrade the web server connector for CF (if you use CF with IIS or Apache). The technote offers a table at the bottom reporting which updates did require such connector updating, though it's not been necessary since update 5 of CF2023 and update 11 of CF2021. (Don't confuse the table regarding "connector configuration" with the one below it, "packages updated". Both have "yes" or "no" values next to each update number.)

Beware also that someone may have forgotten to update the connector after applying some CF update in the past.

As for finding out whether your connector is updated, sadly Adobe doesn't provide version info in that table to help you judge that. Basically you'd look in the coldfusion config/wsconfig folder, and then in each numbered folder under that, to assess the date of your connector's isapi_redirect.dll (for IIS) or mod_jk.so (for Apache). Compare that to the date that the CF update itself was released. Those connector files get updated just before that release, and the date of those files reflects the when date Adobe BUILT them just before that update was released--it is NOT the date when you created or last updated the connector.

Finally, note that the connector table at the bottom of the technote refers to "recreating" the connector (which implies removing and re-adding it) , but since cf2016 we've been able to "upgrade" the connector using the wsconfig UI (or command line). And I have a blog post with more on that here.

Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier

There was a problem with the updates in mid-year 2023, related to a JVM change which ALSO happened in mid-year 2023. I offer this for any who may be updating to this latest update but are coming from such an old CF update, and it may affect those who install CF2023 or 2021 and just jump to this latest update--but they first update the JVM within CF. Read on for some context.

If you apply the update in the CF Admin and find that CF starts but the admin and your code fail (such as with a 500 error, or perhaps in more detail starting with "java.lang.NullPointerException" or other errant behaviors), this may be due to this problem which I had written about back in October 2023. The issue happened if you had updated the java underlying CF to a version released in July 2023 or later (that's Java update 11.0.20 or later for CF2021, or Java 17.0.8 or later for CF2023).

I explained in that Oct post how the solution was how you would need to run the CF update from the command line, adding a needed new JVM argument (offered by Oracle). There is no need to "uninstall" the current update, since it failed. Just do this in running the update again.

I shared then how Adobe had planned to resolve the problem with "the next update"--and that was CF2021 update 11 and CF2023 update 5. So if you're on those (or later), this won't be a problem even if you HAVE updated the Java that CF uses. (This will make more sense if you read the post.)

You can probably ignore the discussion of the -Djdk.serialFilter "ColdFusion JDK Flag"

Finally, as you review the update technote, here's one last thing that seems worth calling out. I see questions raised about this occasionally so I think it bears touching on it here. In both the CF update technotes AND the APSB/security bulletin pages, there is always a section at the bottom labeled "ColdFusion JDK flag requirements" or "ColdFusion JDK Requirement", respectively.

Many people presume it must be talking to them: they ARE on CF, and they know CF runs ON Java. But in fact, few folks need to worry about these flags. They are NOT for you if you are running CF the way nearly everyone does, either by installing it via the CF installer or perhaps using the "zip" installation approach (new since CF2021--and also not really suited for everyone).

Instead, these "jdk flags" are offered by Adobe SOLELY for those who deploy CF on a Java application server, like JBoss, Jetty, Tomcat, etc. Again, many savvy CF admins/developers will STILL think it applies to them, because they know that those traditional CF install options DO deploy CF atop Tomcat, which IS a Java application server. And Tomcat is even listed in the discussion of the "flags", they'd note!

But to be more specific, Adobe is offering these flags for those who are themselves deploying CF via a WAR or EAR file. In that case, whoever runs the Java application server would control putting any needed "jdk flags" into the JVM args for that app server.

That's my understanding, at least. I'd welcome any correction or clarification. Indeed, it would be nice if Adobe would make this point more clear, so that fewer folks think those args are for them. (It's also not clear to me if it's a "problem" if you add the args when you don't NEED to.) Finally, I may well break this and the previous couple of sections into a separate post to point to on each of my CF update announcements. :-) These posts are already long enough!

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly, getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Then I list several of the online CF communities here.

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed