Note: This blog post is from 2019. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

All CF shops are urged to install this update immediately, to implement new protections against a known attack happening in the wild. It's identified in the associated Adobe Product Security Bulletin, APSB19-14, as a priority 1 critical vulnerability.

I will add that I can vouch personally for the significance of the vulnerability, as I reported it to the Adobe Product Security Incident Response Team (PSIRT), and I proposed the fix which was implemented. (I also know what was done specifically to perpetrate the attack, and the very negative consequences of what happened once the server of a client of mine was attacked. You don't want this to happen to you.) I plan to share much more in a part 2 post (now posted, but do see below for the context it builds upon).

(In the meantime, I have tweaked this part 1 since originally posting it, to share more here.)

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

After April 30, 2019, Adobe will no longer provide any updates for CF11, so there will be no security patches or hot fixes for CF 11 after that. Of course, updates for CF2016 will indeed continue into Feb 2021, while CF2018 updates will continue into July 2023. And we could expect CF2020 (when it comes) to by supported into 2025.

How do I know this? Where does Adobe say it? And can one buy support (yes) to "buy extra time to get such CF11 updates beyond April" (no)? And what about CF11 support for Java 11 (no)? Finally, could you use help in moving off CF11 to CF 2016 or 2018? For more on each of these, read on.

(Update: I should note that Adobe did indeed offer one more update beyond April 2019, in June, when they updated CF2018 and 2016 as well for an important security update. That was a bonus. They have said there really will be no more CF11 updates, as per the original plan.)

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

But here's some good news: Amazon has recently released a new free JVM (java virtual machine) implementation based on the OpenJDK specification, called Corretto. In this post, I want to share some news about it. (Off the bat, let me tell my friends on any Linux flavor other than Amazon Linux 2, this is not yet available to you. For now it is only available for Amazon Linux 2 as well as Windows, MacOS, and as a docker image. Other Linux flavors are due in Q1 2019.)

For much more, read on.

Update in Jan 2019: This is no longer an option for CF folks to consider, as Adobe announced both that they have licensed Oracle Java for production use by those using CF, and they clarified that they will NOT be adding support for any OpenJDK implementations. I will leave this post and the rest, for non-CF users and for posterity.

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

• Regarding Java 8, did you know that Oracle will no longer offer free updates/security patches for Java 8, if used for production (NOT just "commercial") purposes beyond Jan 2019? After that, you must pay them for support/updates (including security updates). For more on why this is NOT just about "commercial" use, see below.)
• Regarding Java 11, the next major release, did you know that the Oracle Java 11 JVM cannot be USED at ALL for PRODUCTION purposes, without paying for it?
• Finally, while Oracle will be offering a free openJDK implementation (which CAN be used for production, for free), did you know they will only be committing to supporting/updating their Oracle Java 11 openjdk for 6 months after release, leaving subsequent updates to the community of contributors?

For more, including why this may have significant impact on your use of Java-based applications, as well as alternatives that may exist for you going forward, read on.

[....Continue Reading....]

Note: This blog post is from 2018. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

TLDR (and update since initial post):
If you can add ::1 to the list of debugging IP addresses in the CF Admin, that should solve this problem. If you cannot, that problem was fixed a few months after I wrote this, in CF2018 update 2 and CF2016 update 8, released in Feb 2019 (and it's no longer a problem on CF2021 and above, of course). For those not yet running those, if you find that adding ::1 just turns into 0:0:0:0:0:0:0:1, read on.

For more on the matter, including why it happened, solving it, etc., read on.

[....Continue Reading....]

Note: This blog post is from 2017. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

The first problem was introduced in the CF2016 installer released in Dec 2016, and any after that, where Adobe has literally removed the library used for the calendaring, but you can add it back, as I discuss below. (If you install or installed CF 2016 from the original installer in Feb 2016, you won't see this problem as it wasn't removed then.)

The second problem was introduced in those two named updates, and was fixed in the very next updates (CF11 update 13 or CF2016 update 5). And of course, this could also happen if you're moving to CF11 or 2016 for the first time, and someone else had "fully updated" those to that update level before you started testing against it.

If you'd like to know more, read on.

[....Continue Reading....]

Note: This blog post is from 2017. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

I offer below first the events at which I'll be speaking, and then the preso titles and descriptions for any readers interested. (As an update, I was informed on 5/16/17 that I'd been selected to speak at NCDevCon. While it's not in "spring/summer" per the subject above, I've added it to the info below.)

[....Continue Reading....]

Note: This blog post is from 2017. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

So here I present what I feel are the 100 (technically, 105) most interesting/useful posts made there over the past 3 years (2014-16), offering information about CF and CFML which should be valuable to readers for years to come.

[....Continue Reading....]

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

In this post, I want to elaborate on one more common mistake. Well, mistake may be too strong word. It's about a default option when you run a Java JDK installer (see the other post for more on JDK vs JRE options).

In short, I make the case here for why you should NOT let the JDK installer implement its "public jre" option.

[....Continue Reading....]

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Many find after applying a ColdFusion update that either CF won't start at all, or they can't access the ColdFusion Admin, or some part of CF or their app doesn't work. Or perhaps the problem may not become clear for hours or even days.

The problem may be simply that there was an error in the update process CF did, and it may be rather easily confirmed and resolved. In this post, I share several tips and observations to help resolve this, based on my years of providing remote CF troubleshooting support.

The TLDR version:

• Check the ColdFusion update log--not logs in the normal CF "logs" folder, but the update's "install" log, and a specific table of successes and errors there. More detail below.
• And if there ARE errors, try stopping CF (and its related services) yourself, and then try the update again. Again, more below.
• Finally, if that still fails, then manually apply the update from the command line. I share more on that below also.

If that's enough to get you going, great--especially if you ARE in panic mode! (If the "problem" you need to solve, instead, is that you can't get CF to show you updates because you're behind a firewall preventing outbound internet access, I help with that also, toward the end.)

For most people, though, even those "simple things to do" can prove challenging (and understandably so). And you may find different resources on the web offering perhaps truncated discussions of the topics, which is why I elaborate on things in this post.

And even if you're in a panic, it may take only about 10 minutes to read this whole post. (You can also hire me to help instead, of course. See the links above or below.) Hope the info to follow is helpful for you.

[....Continue Reading....]