Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

and java system properties into:

(Thanks to Sean C for catching a mistake in the initial post.)

I learned of it last year when Pete F tweeted about it, and I assumed someone else would do a post about it, but the topic came up in a discussion today and I was surprised to not be able to find any mention of it, other than that and his mention of it in his cfdocs.org site.

And yes, Lucee had it first (as proposed initially in 2015). :-)

The feature can be useful, whether you're setting such vars when running a (Docker) container, or via JVM args, etc., and you want to be able to access them within CFML.

Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Perhaps you're getting errors referring to "metaspace" or "OutOfMemoryError: Metaspace", whether in your web sites, error logs, or even the CF Admin, and you wonder "what to do". Or you may be getting odd occurrences of blank pages, and if you look in your coldfusion-error.log you are finding such metaspace errors.

TLDR; In all these cases, the solution is simple (and may seem contrarian to some ears): REMOVE the maxmetaspace element from your JVM arguments. Indeed, I would go so far as to say everyone should simply remove it, even BEFORE you may get errors.

In the post that follows, I will explain how to remove it, including how you need to be VERY careful when doing that. You may also wonder why I recommend removing it, versus raising it. I cover that, as well as a bug report I filed with Adobe related this tis (which was fixed as of CF2021), below.

I also created an abbreviated version of this post, on the Adobe CF portal, if that may interest some readers.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

But note first that the security aspect applies only to those running CF on Windows (and even then not ALL users of CF on Windows, as I will explain).

Then again, the update also includes a bug fix to a CF Admin, for a UI issue (related to updates, in fact), and if you need that, then you do want the fix (regardless of your OS).

So who needs it? If you need a little more guidance, I offer some clarification, as well as links from Adobe for more.

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

And if you HAVE already read part 1, if it was before Saturday morning, do go back and reread it. I had added some important info that I thought shouldn't wait to Part 2, which I knew could take me a while. See especially the sections there, "A brief introduction to the vulnerability and the fix", "Should you be worried?", and "What if you can't apply the update immediately, and can't wait for part 2?".

And my apologies for the delay in getting part 2 out. For various reasons, including related to additional research work I'm doing on this exploit beyond CF, I was unable to post this then. Better late than never, I hope. Indeed, I had listed quite a lot in Part 1 that I hoped to cover in a part 2. I don't want to delay getting this out any later, so I will get done today what I can and post that, and carry over into a part 3 (or beyond) whatever remains. There are some natural breaks, fortunately. Thanks for your patience.

Following are what I cover here in Part 2:

• More detail about the vulnerability and what was "fixed"
• Wouldn't an antivirus package on the server detect this sort of trojan?
• How to add further protection from it (especially if you may be unable to implement the update for some reason)
• Considering running a security scan of your CFML code
• Consider implementing a web application firewall
• How to prevent execution of the files used in the attack, if they may already be on your server
• Another benefit of applying the latest updates
• What about Lucee?

[....Continue Reading....]

Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

All CF shops are urged to install this update immediately, to implement new protections against a known attack happening in the wild. It's identified in the associated Adobe Product Security Bulletin, APSB19-14, as a priority 1 critical vulnerability.

I will add that I can vouch personally for the significance of the vulnerability, as I reported it to the Adobe Product Security Incident Response Team (PSIRT), and I proposed the fix which was implemented. (I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don't want this to happen to you.) I plan to share much more in a part 2 post (now posted, but do see below for the context it builds upon).

(In the meantime, I have tweaked this part 1 since originally posting it, to share more here.)

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

After April 30, 2019, Adobe will no longer provide any updates for CF11, so there will be no security patches or hot fixes for CF 11 after that. Of course, updates for CF2016 will indeed continue into Feb 2021, while CF2018 updates will continue into July 2023. And we could expect CF2020 (when it comes) to by supported into 2025.

How do I know this? Where does Adobe say it? And can one buy support (yes) to "buy extra time to get such CF11 updates beyond April" (no)? And what about CF11 support for Java 11 (no)? Finally, could you use help in moving off CF11 to CF 2016 or 2018? For more on each of these, read on.

(Update: I should note that Adobe did indeed offer one more update beyond April 2019, in June, when they updated CF2018 and 2016 as well for an important security update. That was a bonus. They have said there really will be no more CF11 updates, as per the original plan.)

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

TLDR (and update since initial post):
If you can add ::1 to the list of debugging IP addresses in the CF Admin, that should solve this problem. If you cannot, that problem was fixed a few months after I wrote this, in CF2018 update 2 and CF2016 update 8, released in Feb 2019 (and it's no longer a problem on CF2021 and above, of course). For those not yet running those, if you find that adding ::1 just turns into 0:0:0:0:0:0:0:1, read on.

For more on the matter, including why it happened, solving it, etc., read on.

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Wondering about CF support for Java 9, 10, 11, or later here in 2018 (with respect to CF 2018, CF 2016, CF 11, or earlier)? Did you know that Java 9 and Java 10 each have only 6-month lives? Seriously. And did you know that Java 9 is already no longer updated, while Java 8 still is (into next year), and that Java 11 is due to come out in September 2018? It can be quite confusing if you've not been paying attention to Oracle's new release model.

What does all this mean for Adobe and CF, and CF users? What versions of CF do, do not, and/or may support these various recent Java versions? The good news is that CF 2018 will come out running (and the second public beta does come running) on Java 10 (no word yet on Java 11). But what about other recent CF versions?

Read on for more.

Update: CF2018 did come out as expected in July 2018, and at first it came out supporting Java 10. Then after Java 11 came out in late 2018, Adobe updated both CF2018 and CF2016 in early 2019 to support Java 11 (or you can continue to use Java 8 while it's supported by Oracle). Adobe also announced in Jan 2019 that they had reached an agreement with Oracle licensing Java 11 and updates to 8 for commercial use with CF. You may want to read my post on the CF portal discussing further when the April 2019 updates for Java 8 and 11 were released by Oracle.

I leave what I wrote below for posterity/historical perspective.

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

If so, I have some very good news--and some not-so-good news. (Some may know that you can find this info also by running the CFC Explorer--more on that in a moment.) The unfortunate news is that it's not yet COMPLETELY documented, but it's still a good start.

[....Continue Reading....]

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

In this post, I want to elaborate on one more common mistake. Well, mistake may be too strong word. It's about a default option when you run a Java JDK installer (see the other post for more on JDK vs JRE options).

In short, I make the case here for why you should NOT let the JDK installer implement its "public jre" option.

[....Continue Reading....]