[Looking for Charlie's main web site?]

Announcing Java updates of Apr 2021 for 8 and 11: resources and thoughts

Posted At : April 26, 2021 6:37 PM | Posted By : Charlie Arehart
Related Categories: cf2016, cf2021, cf10, java, cf11, cf2018
Comments: (6)
Note: This blog post is from 2021. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
For those using the Long-term Support (LTS) versions of Oracle Java, 8 and 11, please note `there were new updates released last week (Apr 20), specifically Java 11.0.11 and 8.0_291. For some, that's all they need to hear. They will take that ball and run with it.

For most, you should read on, especially about an important change regarding TLS support (and calling out to servers not yet running TLS 1.2 or above). I cover that and other important topics:

  • What's in the JVM update, do you need to update to it?
  • A key change in this Java update: calls out to TLS 1.1 or 1.0 no longer allowed, by default
  • Re-enabling support for calling out to old TLS versions
  • Groundhog day: you'll need do make this java.security file change on any later JVM updates
  • Should you update to the new JVM version?
  • The importance of testing such updates/changes
  • More questions you may surely have, and finding answers to them
  • Obtaining the updated Java installers

[....Continue Reading....]

Comments (6)

Confirming ColdFusion's Java version, via admin, vars, or code

Posted At : April 5, 2021 11:13 AM | Posted By : Charlie Arehart
Related Categories: cf2016, cf2021, cf10, java, cf11, cf2018, lucee
Comments: (0)
Note: This blog post is from 2021. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Have you ever wished you could confirm with 100% certainty what Java version is in use by the CF instance you are running? Or where the JVM's location is (in case you are told to modify files related to it)?

Some good news is that ColdFusion offers simple ways/variables that can show you each of these, via the admin or via CFML code. In this post, I discuss both approaches, including a simple single variable which works in CF2018 and above, a variation for those on CF2016 and earlier, as well as variations for Lucee.

[....Continue Reading....]

Comments (0)

Be aware that updates to ColdFusion 2016 will end Feb 2021

Posted At : November 23, 2020 9:37 PM | Posted By : Charlie Arehart
Related Categories: updates, cf2016, cf2021, cf10, CFBuilder, cf11, cf2018
Comments: (0)
Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Are you still running ColdFusion 2016? Did you know that its "core" support (meaning, public updates from Adobe) will end in just a couple of months, Feb 21 2021? Same for CFBuilder 2016.

The recent release of CF2021 is a great sign for the continued vitality of CF, but this looming deadline is a reminder that as the years roll on, we not only get new versions but we say good-bye to old ones.

Wondering what you can do? or when CF2018 or CF2021 support ends? And what's the difference between "core" and paid Adobe support plans? For more on these, as well as official Adobe documentation that discusses such things, read on.

[Update: CF2016 users got a "reprieve" of sorts, when Adobe released updates to CF2021 and 2018 in March 2021, and they also offered the final update to CF2016, update 17, especially because it address a security vulnerability. Sadly, some of the changes in the update--not related to the security fix--were "breaking" changes. For more on that update, see the Adobe blog post from March 2021.)

[....Continue Reading....]

Comments (0)

Why should one be careful about securing ColdFusion ARchive (CAR) files?

Posted At : July 14, 2020 10:54 PM | Posted By : Charlie Arehart
Related Categories: cf9, cf2016, admin, cf10, cf11, security, cf2018
Comments: (5)
Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
You may hear (starting today) about a new admonition (a "strong recommendation") from Adobe that one should be careful to "delete CAR files once they are used". What's that about? And why is it a concern? (And is it ever NOT a concern?) Indeed why is it a new admonition? (To be clear: the recommendation should be heeded even by those using CF versions BEFORE this update and older versions like 11, 10, and so on.)

[....Continue Reading....]

Comments (5)

How to solve failing "api" URLs, in CF2016 and 11 (not a problem in CF2018)

Posted At : January 16, 2020 8:14 PM | Posted By : Charlie Arehart
Related Categories: cf2016, cf11, webserver, troubleshooting, connector
Comments: (2)
Note: This blog post is from 2020. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you're trying to run a request against CF 2016 (or perhaps 11), and the URL you're using has a path which starts with /api, you may find that the request fails to run (it may give a blank page). What gives? (It was related to the CF2016 API Manager, not CF's REST services feature.)

And what can you do about it, if you are on CF2016 or 11, and you want to use /api for your URLs? There are are two choices, depending on your needs: in brief, you can either:

  • change your /api folder to a new name (which I realize may not appeal to all to some)
  • or change the CF configuration, to STOP it treating /api specially for the API Manager's use. You would do this by editing two CF config files, urlworkermap.properties and web.xml (but this will break the ability of the API Manager to introspect REST services in CF2016 or CF11, though not CF2018)

TLDR; if you're bold and a risk taker, you can jump to the bottom to see my list of changes to make for that second option. As is often the case, there is risk in making changes in a cavalier fashion. There are various things to consider, and I warn of them below--but the good news is that this is a change that may take only minutes to do, once you've been careful to read about how to do it effectively.

Read on for more, including pros and cons of each choice, what to change and where, why this problem NO LONGER happens from CF2018 onward, and more.

(And if you are not familiar with the CF Enterprise API Manager, which is installed separately from CF, you can read about it here.)

[....Continue Reading....]

Comments (2)

When and how to upgrade CF web server connector, easier in recent CF releases

Posted At : November 13, 2019 8:40 AM | Posted By : Charlie Arehart
Related Categories: updates, cf2016, carehart classics, cf10, cf11, connector, cf2018
Comments: (8)
Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Did you know that when you update ColdFusion, there is often a need to also update ("upgrade") the web server connector (for IIS and/or Apache)? Did you know that's gotten easier to do since CF2016 came out?

In this post (updated in Oct 2023, for reasons discussed below), I discuss:

[....Continue Reading....]

Comments (8)

Configuring FusionReactor to show "real ip address" when behind a load balancer or other proxy

Posted At : August 21, 2019 6:27 PM | Posted By : Charlie Arehart
Related Categories: tomcat, cf2016, logs, fusionreactor, tools, cf11, troubleshooting, cf2018, lucee
Comments: (0)
Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If your server is behind a load balancer or other sort of proxy, you may have noticed that when you view information about requests in FusionReactor, they all have the same (or nearly the same) IP address. This can be easily fixed, and I show you how in this post.

[....Continue Reading....]

Comments (0)

Updates released today for CF2018, CF2016, and CF11

Posted At : June 11, 2019 6:40 PM | Posted By : Charlie Arehart
Related Categories: updates, cf2016, cf11, security, docker, cf2018
Comments: (0)
Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
While word has been shared elsewhere about this today already, I wanted to share here also that there were updates released today for CF2018, CF2016, and CF11.

And I share a bit more here, for my readers.

[....Continue Reading....]

Comments (0)

CF updates temporarily missing. Get them here

Posted At : May 12, 2019 3:10 PM | Posted By : Charlie Arehart
Related Categories: updates, cf2016, cf10, cf11, cf2018
Comments: (1)
Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you've tried to get the update files for cf 2018, 2016, 11, or 10 in recent days, whether from the CF Admin "updates" page or the update technote pages, you've found the update jar files are missing and unavailable, due to a temporary problem. Here's how to get them in the meantime.

[....Continue Reading....]

Comments (1)

CF security update (March 1 2019), part 2: further details, prevention, and more

Posted At : March 3, 2019 11:20 PM | Posted By : Charlie Arehart
Related Categories: updates, cf2016, admin, cf11, security, cf2018
Comments: (11)
Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This is my part 2 post which follows onto the Part 1, released the night of March 1, when the new CF updates were released as an emergency update. If you've not yet read that, do that first, to get some basic info and needed context for what follows.

And if you HAVE already read part 1, if it was before Saturday morning, do go back and reread it. I had added some important info that I thought shouldn't wait to Part 2, which I knew could take me a while. See especially the sections there, "A brief introduction to the vulnerability and the fix", "Should you be worried?", and "What if you can't apply the update immediately, and can't wait for part 2?".

And my apologies for the delay in getting part 2 out. For various reasons, including related to additional research work I'm doing on this exploit beyond CF, I was unable to post this then. Better late than never, I hope. Indeed, I had listed quite a lot in Part 1 that I hoped to cover in a part 2. I don't want to delay getting this out any later, so I will get done today what I can and post that, and carry over into a part 3 (or beyond) whatever remains. There are some natural breaks, fortunately. Thanks for your patience.

Following are what I cover here in Part 2:

  • More detail about the vulnerability and what was "fixed"
  • Wouldn't an antivirus package on the server detect this sort of trojan?
  • How to add further protection from it (especially if you may be unable to implement the update for some reason)
  • Considering running a security scan of your CFML code
  • Consider implementing a web application firewall
  • How to prevent execution of the files used in the attack, if they may already be on your server
  • Another benefit of applying the latest updates
  • What about Lucee?

[....Continue Reading....]

Comments (11)

More Entries

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting