ColdFusion updates released Aug 20 2024, offering Tomcat update
In addition, before applying the update note that there are two other things to beware--related to recent previous CF updates, and that whether you are currently running the immediately preceding update (from June) or the one from March or earlier.
Here are the topics covered in this post:
- Finding more from Adobe about the update
- Beware before applying the update
- More on the Tomcat upgrade aspect of this update
Finding more from Adobe about the update
As with any CF update, you may have noticed the news of the newly available update within your CF Admin. But note that Adobe also posts a new forum discussion thread whenever there is an update, as they did this time: NOW LIVE! Adobe ColdFusion 2023 and 2021 August 2024 general updates. And as they note there, the technote about the update for each CF version is in their respective technotes, including the technote for CF2023 update 9, and the technote for CF2021 update 15. There is information offered in the technotes that is essentially the same for each update, and you should consider that information.But as is often the case, there is a bit more to consider, and I offer these posts to try to fill in the gaps. :-)
Beware before applying the update
So first, while the update contains "only a tomcat upgrade", note that that is true only if you're coming from the immediately preceding update (from June). And whether you are or not, there are still things to beware:
- If you ARE NOT on that immediately preceding (June, so CF2023 update 8 or CF2021 update 13) update, you MUST consider the potential breaking changes regarding a change about the CFMX_compat encryption default, as introduced in that June update. I discussed issues related to this in my post about that June update. See as well some additional information I shared in a subsequent blog post, discussing more about dealing with those cfmx_compat issues
- And if you are NOT EVEN on the update BEFORE THAT (from March, so CF2023 update 7 or CF2021 update 12), then you must also consider the potential breaking changes regarding a change regarding "searching implicit scopes" introduced in that March update. I discussed that update and that issue in my blog post on that March update, and I elaborated still more in a subsequent post, discussing a helpful option to enable logging related to that
- Finally, whether you ARE coming from EITHER the June update or the March update or any recent previous one, note that if you may have put in place the "patch" to enable logging use of unscoped variables which search for implicit scopes (as discussed in that blog post), then beware that this (and ANY) CF update will REMOVE that patch, such that you will need to add it back, as I discussed in that last blog post I just listed.
More on the Tomcat upgrade aspect of this update
Let's wrap up the post discussing more on the Tomcat upgrade aspect of the update.
On confirming that the Tomcat upgrade is the only change in this August CF update
First, as for the fact that the update includes only a Tomcat upgrade, this is indeed indicated in both the technotes about the update (for each of CF2021 and CF2023) and was also indicated in that CF community forum thread that I also pointed to earlier in this post. Still, like some of you perhaps I wanted to make sure there really was nothing else included. So I asked in that forum thread and Adobe CF team member, Priyank, confirmed in reply that this really was the only change.
Some may also be interested to hear that after asking (and before seeing his reply), I went ahead and compared the files within the update jar (comparing the most recent updates to the previous one). I could see that indeed the only change implemented was about several files in the cfusion/runtime/lib folder, related to Tomcat.
How this Tomcat upgrade incorporates several Tomcat updates
Some may be interested to hear also that the Tomcat upgrade brings us from Tomcat 9.0.85 (which came out in Jan 2024 and was last updated within CF in that March 2024 update) to Tomcat 9.0.93 (which came out earlier in Aug 2024).
And that span of release numbers does indeed incorporate several tomcat releases, whose changes are detailed in this Tomcat change log. While many of the changes are inconsequential to CF (or most CF users), note that there are especially important security-related improvements (discussed in the next section here).
Before I discuss those, I want to help those who may look into the Tomcat change log: note that the document breaks down things into Tomcat-specific categories such as "catalina" and "coyote". Briefly, "catalina" is the underlying Java servlet engine within Tomcat (which is indeed core to CF processing), while "coyote" is the built-in tomcat web server. In the context of ColdFusion (and Lucee), that built-in web server is what most use only for the cf (or lucee) admin.
FWIW, when instead you connect to cf through a web server like IIS or Apache, you may typically use the CF "web server configuration" tool (or in Lucee the Boncode connector tool), and that's what tomcat refers to as the "jk connector"--and technically that jk connector is documented and tracked separately from tomcat itself.
How this Tomcat upgrade implements multiple security fixes
So as I noted in the previous section, among the many changes incorporated in the Tomcat updates between 9.0.85 and 9.0.93 (implemented by this CF update), there are two security-specific matters that the Tomcat team identifies as vulnerabilities, specifically implemented in Tomcat updates 9.0.86 and 9.0.90, as discussed in this section of the Tomcat 9 vulnerabilities page.
If you check that out, you will see that the listed vulnerabilities are classed as "denial of service" issues rather than "remote code execution" or such. I'll leave you to decide how important those matters seem to you, with respect to whether this update "needs to be applied urgently".
On whether this is indeed the "latest" available Tomcat update
Finally, some people will naturally wonder whether this Tomcat update is indeed the "latest" one available for Tomcat. I can say that it is, with respect to the Tomcat 9.0 version that CF currently runs on. Let me explain that and offer just a bit more that may benefit some readers.
I cover here both whether this Tomcat 9.0.93 is that latest Tomcat 9 update, then I discuss also Tomcat 10 (no longer updated), 10.1, and 11 (in beta).
First, as I'd mentioned above, Tomcat 9.0.93 was just released in Aug 2 2024. Kudos for Adobe ensuring that this "pack of Tomcat upgrades" incorporated by this update did include that latest one. But how long will this indeed mean "CF includes the latest Tomcat 9 update"?
Well, to be clear, Tomcat updates are indeed typically released more frequently than cf updates. More important, it's important to clarify that there's no way for users running CF--on its built-in customized Tomcat--to upgrade that Tomcat version ourselves. We MUST wait for Adobe to offer that within a cf update, as they have today.
Second, some may know/notice that Tomcat 9 is not actually "the latest major Tomcat version". That's true: just as CF supports two or more major versions (currently cf2023 and cf2021), so also does tomcat. And indeed there was first a Tomcat 10.0 (last updated in 2022) and now an available Tomcat 10.1 (which like Tomcat 9.0 was also last updated on Aug 2 2024, as I write. And FWIW, note that there is currently no Tomcat 9.1.)
To be clear, Adobe does not yet support Tomcat 10 in its built-in implementation of Tomcat underlying CF. But Adobe has announced at recent conference keynote talks that the NEXT release of cf (generally expected to be cf2025) will be built atop tomcat 10.1. And lastly, while there is indeed a Tomcat 11 which is now in beta (as I write), there's been no discussion (I've heard) of whether/when CF will support/be built atop that.
Hope this news and additional perspective may be helpful. I welcome your feedback. As always, if you may want any help applying this update or any CF (or Java) update, I'm available to help via remote screenshare consulting, with satisfaction guaranteed.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
I do sincerely appreciate hearing if people find it beneficial!
Downloading the package document-2021.0.15.330303.jarhttps://cfmodules.ad... cannot be downloaded. Error : Not Found.
Downloading the dependent package report-2021.0.15.330303.jarhttps://cfmodules.ad... cannot be downloaded. Error : Not Found.
Downloading the package pdf-2021.0.15.330303.jarhttps://cfmodules.ad... cannot be downloaded. Error : Not Found.
Downloading the package htmltopdf-2021.0.15.330303.jarhttps://cfmodules.ad... cannot be downloaded. Error : Not Found.The package document is marked for uninstallation. Uninstallation will be done, on the next server start.
I've ran the update from the CF Admin website and also via the command line. I've tried setting the packagesurl in the neo_updates.xml to the online repository 'https://www.adobe.co...' and at the local bundlesdependency.json. Each time it attempts to download the version 15 packages listed above. Even though I know this HF doesn't have a package update, which I can see in the bundlesdependency.json.
You may recollect I had issues with the HF13 update removing packages, this turned out to be an issue at Adobe's end which was resolved. Im scratching my head why its trying to download version 15 packages during the update. I've logged the issue with CF Support and waiting to head back.
MY SOP:
1. See there is an update update available.
2. Open the tech note link and read it.
3. Go see what Charlie has to say about it.
4. Plan for the upgrade.
Roberto and Max, I am working on your issue as well. Will report when I have findings/suggestions, hopefully soon.
What I've found is that buried deep (deep) inside the hotfix-015-330303.jar there is a bundlesdependency.json which is the crux of the problem. That file names the package updates with the 2021.0.15 name prefixes which really DO NOT exist.
As you note, update 15 had ZERO package updates--it was only this tomcat update, as I had confirmed conclusively in the post above. (If one was coming from an EARLIER update and the updates you skipped DID entail updated packages, then yes applying this update WOULD implement those.)
For Adobe or others, it's that the hotfix-015-330303.jar (which, as many know, is itself simply a compressed file), there is
a Disk1\InstData\ folder, and in THAT there has Resource1.zip, and inside THAT is a $IA_PROJECT_DIR$\hotfix\ folder. Then in THAT is an dist_zg_ia_sf.jar, and then finally it's inside THAT that there is a bundles folder, which has this bundlesdependency.json file.
And I can confirm that in the CF2023 update 9 jar (which doesn't have this problem--and also had NO package updates), this folder (deep inside THAT hotfix-009-330677.jar) has NO such file.
And that's why I'd think if one could delete just that file (but then repackage everything (with the jar inside the zip inside the zip...), perhaps the update would just work.
Or we wait for Adobe to hopefully find this and correct it with a new 2021 update 15 jar. It's happened before. (And I suspect that maybe there was a plan to incorporate package updates and then it was withheld, but this file was left there pointing to package updates that were never implemented in this update.)
We shall see.
As other have commented your blog is invaluable, its always my first port of call after a new update has been released.
But if you would instead, you might want to keep it brief and point to the comment directly for more. For everyone's sake, let me note how the date/time below any comment here is in fact a link to that comment. So mine with the details on my findings is at:
https://www.carehart...
https://tracker.adob...
And while sometimes that reported "no issue found" error happens for a private bug report, I don't think that's the problem as the number you show doesn't match that of the other cf issues filed there in August, all starting with CF-4223xxx.
I also searched all the other products, in case you somehow picked another. :-)
So can you give us the url to get to wherever it may be that you filed this? Others may want to add votes, subscribe, or just check it out.
link https://tracker.adob...
First, while there's value in their sharing that workaround (for those wiping up the mess). It doesn't fixing the "broken jar of milk" that's creating the mess, more specifically for others who may apply the update going forward (who often don't read the technotes completely, if at all, before applying an update). :-( And I'd been on client calls until now to address that.
1) So first, I have just emailed them to ask if they plan to solve the root cause problem, versus offering only this manual effort.
2) Even better, I've asked if they could at least show folks that if they go into the cfpm tool, where they can then just do:
install document, htmltopdf, pdf, presentation, print, report
3) That said, while the install command when run INSIDE the cfpm CLI DOES indeed let you specify more than one package to install, sadly there's a bug where if you try to do this from outside the CLI, such as:
C:\ColdFusion2021\cfusion\bin\cfpm install document, htmltopdf, pdf, presentation, print, report
it fails reporting "Invalid command. You have passed more parameters than required." (And the same is true about the "cfpm uninstall" command.)
I have just filed a bug report for that: https://tracker.adob...
Interested folks should add a vote (please).