Though the news is a couple of days old, I want to share with my readers that an update for ColdFusion has been released Tuesday, Sep 10, for both cf2023 (update 10) and and cf2021 (update 16). In brief, the "only" change is to address a security vulnerability, which is listed in the associated ASPB (security bulletin) for the update as a "critical" severity (CVSS Base Score of 9.8 out of 10)...though curiously that also lists it as being merely a "moderate" priority (3 out of 3).

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes in those updates from March and June of this year.

And there's still more to consider. Note that if somehow "it's all too much" for you, I can help directly and likely VERY quickly. See my discussion at the bottom here. Otherwise, for the details, read on.

First, apologies to my readers who might rely on my posting an entry announcing each update. I try to do it the day they come out, but I was swamped with many things this week.

Next, besides simply announcing the update, of course I like to help both with links to additional resources for more information, and I also like to draw out some points that might be missed in those resources, or any issues that I have experienced on my own or heard about from others. (So far, this update seems to gone smoothly--at least if you were on the immediately previous one. As I will discuss below, if you're coming from previous ones, there are issues to be aware of.)

Here are the topic areas covered below:

• Finding (and finding more about) the update
• What to consider, with regard to the 3 previous CF updates (possible breaking changes)
• As with all CF updates, possible need to upgrade web server connector
• Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier
• On getting help with the update(s)

Finding (and finding more about) the update

While you should have seen the update appear in your CF Admin when you login (and if you don't, give it time as there may be a caching issue), as always Adobe has announced the update via their CF Community Forums, specifically: NOW LIVE! Adobe ColdFusion 2023 and 2021 September 2024 security updates

And that points to the (very important) technote for each version's update, as well to the Adobe Product Security Bulletin (APSB) related to it, with (just a little) more about security issues identified and addressed:

• ColdFusion (2023 release) Update 10
• ColdFusion (2021 release) Update 16
• Security updates available for Adobe ColdFusion | APSB24-14

Given that the update includes security fixes, it would seem in your interest to get it applied ASAP. (I have no further info about the vulns to share than what is in those linked pages above, and I don't yet have news of any challenges anyone may have had.) I can report I installed both updates without incident.

What to consider, with regard to the 3 previous CF updates (possible breaking changes)

This has been quite a year for CF updates. There was one in March, then June, then August, and now this in September (CF2021 updates 13, 14, 15, and now 16; and CF2023 updates 7, 8, 9 and now 10.) The updates from March and June introduced potential breaking changes. Then as for August's CF2021 update 15, that had a bug in its update mechanism. Let me elaborate a bit on these.

So first, if you are jumping to this update from CF2021 update 12 or earlier, or CF2023 update 6 or earlier (or even CF2021 update 13 or CF2023 update 7), or if you just installed CF (and have no updates and are jumping to this as "the latest available update"), it's important that you be aware of the changes introduced in those March and June updates. I have 4 posts on that. Sorry it's a lot of info, but I am trying to help you make the best decisions:

• Announcing ColdFusion updates released Mar 12 2024, possible breaking change, solutions
• Announcing ColdFusion updates released June 11 2024: another possible breaking change
• Follow-up on March 2024 CF update: "patch" to log "implicit scope searches" that would fail
• Follow-up on June 2024 CF update: more on change of default algorithm from CFMX_COMPAT

Note as well that as for the "patch" discussed in the post in the 3rd bullet, I discuss there how if you apply a later CF update, the patch is removed and you need to add it back. You will need to do that after applying this September update.

Then second, if you are on CF2021 specifically and you might install update 15 RIGHT before applying this update 16 (you don't need to do that, but many do), then you will likely run hit the issue I discuss here, where I also offer the simple solution, Follow-up on CF 2021 update 15: understanding, solving packages unexpectedly removed. Note that you can apply the same solution now, if you applied update 16 or later and never even noticed the problem that happened after update 15.

As with all CF updates, possible need to upgrade web server connector

Don't miss also that if you may be applying this CF update by skipping over others, you MAY need to upgrade the web server connector for CF (if you use CF with IIS or Apache). The technote offers a table at the bottom reporting which updates did require such connector updating, though it's not been necessary since update 5 of CF2023 and update 11 of CF2021. (Don't confuse the table regarding "connector configuration" with the one below it, "packages updated". Both have "yes" or "no" values next to each update number.)

Beware also that someone may have forgotten to update the connector after applying some CF update in the past. Sadly, Adobe doesn't provide version info in that table, to help you judge how updated your connector is. Basically you'd look at the date of your connector's isapi_redirect.dll (for IIS) or mod_jk.so (for Apache), and compare that to the date that the CF update was released. Those connector files get updated just before the update is released, and regardless of when you implement the connector, the date of those files shows the date Adobe released them--not the date you created or last updated the connector.

Finally, note that the connector table at the bottom of the technote refers to "recreating" the connector (which implies removing and re-adding it) , but since cf2016 we've been able to "upgrade" the connector using the wsconfig UI (or command line). And I have a blog post with more on that here.

Something to consider, if you're coming from CF2021 update 10 or CF2023 update 4, or earlier

There was a problem with the updates in mid-year 2023, because of a JVM change in mid-year 2023. I offer this for any who may be updating to this latest update but are coming from such an old CF update, and it may affect those who install CF2023 or 2021 and just jump to this latest update--but they first update the JVM within CF. Read on for some context.

If you apply the update in the CF Admin and find that CF starts but the admin and your code fail (such as with a 500 error, or perhaps in more detail starting with "java.lang.NullPointerException" or other errant behaviors), this may be due to a problem I had written back in October 2023. The issue happened if you had updated the java underlying CF to a version released in July 2023 or later (that's Java update 11.0.20 or later for CF2021, or Java 17.0.8 or later for CF2023).

I explained in that Oct post how the solution was how you would need to run the CF update from the command line, adding a needed new JVM argument (offered by Oracle). There is no need to "uninstall" the current update, since it failed. Just do this in running the update again.

I shared then how Adobe had planned to resolve the problem with "the next update"--and that was CF2021 update 11 and CF2023 update 5. So if you're on those (or later), this won't be a problem even if you HAVE updated the Java that CF uses. (This will make more sense if you read the post.)

You can probably ignore the discussion of the -Djdk.serialFilter "ColdFusion JDK Flag"

I see questions raised about this occasionally so I think it bears touching on it here. In both the CF update technotes AND the APSB/security bulletin pages, there is always a section at the bottom labeled "ColdFusion JDK flag requirements" or "ColdFusion JDK Requirement", respectively.

Many people presume it must be talking to them: they ARE on CF, and they know CF runs ON Java. But in fact, few folks need to worry about these flags. They are NOT for you if you are running CF the way nearly everyone does, either by installing it via the CF installer or perhaps using the "zip" installation approach (new since CF2021--and also not really suited for everyone).

Instead, these "jdk flags" are offered by Adobe SOLELY for those who deploy CF on a Java application server, like JBoss, Jetty, Tomcat, etc. Again, many savvy CF admins/developers will STILL think it applies to them, because they know that those traditional CF install options DO deploy CF atop Tomcat, which IS a Java application server. And Tomcat is even listed in the discussion of the "flags", they'd note!

But to be more specific, Adobe is offering these flags for those who are themselves deploying CF via a WAR or EAR file. In that case, whoever runs the Java application server would control putting any needed "jdk flags" into the JVM args for that app server.

That's my understanding, at least. I'd welcome any correction or clarification. Indeed, it would be nice if Adobe would make this point more clear, so that fewer folks think those args are for them. (It's also not clear to me if it's a "problem" if you add the args when you don't NEED to.) Finally, I may well break this and the previous couple of sections into a separate post to point to on each of my CF update announcements. :-) These posts are already long enough!

On getting help with the update(s)

Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly, getting you back on your feet. More at carehart.org/consulting.

Or you can certainly reach out to the CF community, starting first perhaps with the Adobe forum thread announcing the update, which I pointed to above. Then I list several of the online CF communities here.

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed