[Looking for Charlie's main web site?]

Presenting "Updating the Java underlying ColdFusion: considering it, doing it" Thurs Jan 18, Online

As most know, ColdFusion runs atop Java (and has since CF6). Did you know that JVM updates come out quarterly (including one just this week)? While some may find the process of doing them to be "old hat", others are often surprised to discover it's their responsibility to keep that Java updated. And on the surface, "installing Java" is easy--but like so many other things, "the devil is in the details".

So I will be presenting presented a talk on this topic, online this Thursday, at noon US Eastern, on the CFMeetup youtube livestream (which will be was recorded). Folks who are members of the Online ColdFusion Meetup will already have gotten notification about this, but for those who are not, here are the details:

[....Continue Reading....]

Several things to consider when applying updates to Java (aka the JVM, JDK, JRE)

If you learn there's a new Java update available, it may well be relatively simple for you to apply that update, but if you're running important applications that rely on Java, it's in your interest to give some consideration to various matters related to doing such an update.

And as important, if you may have skipped some Java updates before this one, there are some additional points to consider regarding some potentially important changes in updates you may be skipping.

In this post, I cover several topics in both those areas.

[....Continue Reading....]

Presenting "Installing CF2023: choices, challenges, and solutions" Thurs Dec 21, Online CFMeetup

Last week I did a talk on MIGRATING to CF2023 (as that's a challenge that many contemplate BEFORE proceeding to install it). This week I will follow-that up with a talk on INSTALLING it, and addressing various challenges in doing that. Some people don't do development and only deal with installing it. (Others don't ever want to install CF, and I address alternatives for them also.)

So I will be presenting presented this talk online this Thursday, at noon US Eastern, on the CFMeetup youtube livestream (which will be was recorded). Folks who are members of the Online ColdFusion Meetup will already have gotten notification about this, but for those who are not, here are the details:

[....Continue Reading....]

Announcing ColdFusion updates released Nov 14 2023: security update

Just a heads-up for my readers that there was an important security update released today by Adobe for ColdFusion 2023 (update 6) and 2021 (update 12). (Users of previous CF versions should note that those are no longer updated, not even for security fixes).

If you apply the update using the CF Admin and then find that CF starts but the Admin and your code fail, I cover that also, in the second section below.

For more, read on.

[....Continue Reading....]

Solving failure in applying Oct 2023 CF updates, or avoiding that failure

If you try to apply ColdFusion updates (including the latest released Oct 6) via the CF admin or command line and find that the update fails, the problem may be due to the JVM you're using (within CF or at the command line). There's a simple solution, which I discuss in this post.

TLDR; If you've configured either CF2021's java home to use Java 11.0.20 or later, or CF2023's java home to use 17.0.8 or later, you may find that applying CF updates ia the Admin will fail. You can apply the update via the command line, adding a needed new jvm arg:
-Djdk.util.zip.disableZip64ExtraFieldValidation=true
(to be placed BEFORE the -jar arg) in the java -jar ... command, as I discuss more in the 5th bullet point below. (If I've lost you with that simple suggested, read the rest here. And all may benefit reading what precedes that suggestion, for context. I also offer other suggestions and info.)

[....Continue Reading....]

Announcing ColdFusion updates released Aug 17 2023: resources and thoughts

Adobe has released today an important security update for each of ColdFusion 2023 (update 4) and 2021 (update 10). (Since CF2018 is end of life since July, there is no update for that version.) Note that while the technotes for the updates don't mention/link to any Adobe product security bulletin (APSB), this update is indeed an update that provides important security protections, as I discuss further below.

For more resources as well as some additional thoughts on the updates (including what security matter it entails as well as some lessons learned in applying the update--especially if you may update your Java to the JVM released last month), read on.

[....Continue Reading....]

Beware you can't install CF updates via the CF Admin after Jul 2023 JVM update

Be aware: if you update ColdFusion to run using the latest JVM updates (released July 18, 2023), you will encounter challenges, which have solutions as I describe here.

You will find that you can no longer INSTALL CF updates via the CF admin, if CF is using this new Java version. And even if the CF update is run from the command line, if using this newer Java version that also will fail. In either case, there is a new JVM argument that solved the problem, as I discuss below.

This is happening in CF2023, 2021, and 2018. (And this may continue to happen with future JVM updates, until Adobe otherwise addresses the problem.)

As an update, you may want to read a more recent post I did on this matter, in October 2023.

As an another update, when I first created this post originally on July 21st, another problem was that you would find that you could no longer use the CF Administrator to download CF updates, if CF was running this new Java version. You would get an error reporting, "Failed Signature verification"--or in some cases you may see only "error failed". But within a couple of weeks, I found that the CF Admin COULD now download updates (including the August 2023 CF update) but the CF update STILL fails to install correctly, as discussed in this post, unless the workaround offered is used.

FWIW, Adobe has also updated the technotes for CF2021 update 10 and CF2023 update 4 with a text box at the top that acknowledges this issue and points to this post for more detail.

In this post, I explain a) what this is all about, then b) how you can fix the problem of INSTALLING the update using the CF Admin, I'll explain how it seems we HAVE to workaround that problem (for now). I also offer a link to a bug report I've filed. I even offer a thought on how this new JVM update may prove over time to affect MORE than just this, and even MORE than just CF (and Lucee) but many java apps. Read on for more.

[....Continue Reading....]

Announcing ColdFusion update released Jul 19 2023: a third Priority 1 security update

Just days after two P1 CF security updates were released on Jul 11 and 14, Adobe has released yet another on Jul 19, for CF2023 update 3, CF2021 update 9, and CF2018 update 19.

Yes, this is shocking. Yes, unless there's a good explanation, I can understand how many would feel "someone on the CF team should be flogged". Don't shoot me: I'm just the messenger. I don't work for Adobe.

But I will add that in this post, besides just sharing news about the update (and more than JUST pointing to the update), I also offer an ADDITIONAL "fix" some will want to consider, to go BEYOND what this update addresses. See the discussion on "blocking the _cfclient query string".

Read on for more, where I cover:

  • Finding more info on this update
  • A suggestion on blocking the _cfclient query string
  • News for those doing manual offline installs: this update DOES have a zip
  • As for doing a Java update along with this update
  • CF2018 WAS indeed also updated

[....Continue Reading....]

Announcing Java updates of Jul 2023 for 8, 11, 17, and 20: resources and thoughts

It's that time again: there are new JVM updates released today (Jul 18, 2023) for the current long-term support (LTS) releases of Oracle Java, 8, 11, and 17, as well as the current interim update 20.

TLDR: The new updates are 1.8.0_381 (aka 8u381), 11.0.20, 17.0.8, and 20.0.2 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the 4 JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

Announcing CF update released Jul 14 2023: a second priority 1 security update in one week

Just days after a P1 security update released on Jul 11, Adobe has released yet another on Jul 14 (CF2023 update 2, CF2021 update 8, and CF2018 update 18). (I don't recall such a short gap between updates before, so yes: it's unusual.)

For more on the update, and some additional thoughts, read on.

[....Continue Reading....]

More Entries

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting