I'm delighted to announce that I've been selected to speak at the upcoming Into the Box event (in DC in early May), where I'll be presenting "Hidden Gems in FusionReactor: for BoxLang, ACF, and Lucee Users".

This should not be confused of course with the "Hidden Gems in CF2025" talk which I also just announced that I'd be presenting at the upcoming CF Summit East (next week in DC) and CFCamp (in Munich in late May). It'll be a busy few weeks! :-)

As with them, it's always a thrill to attend this annual event. Following is the topic description and more.

[....Continue Reading....]

Now that CF2025 has come out, supporting Java 21--and as ColdFusion and Java versions continue to evolve--you may wonder which version(s) of Java you can use with your current (or a given) version of ColdFusion.

You can't just use "any" jvm version with CF: it depends on first on what version of CF you are using, and then may even depend on what CF update has been applied to that CF version. (You also can't use Java from any vendor: Adobe supports only use of Oracle Java, and they license it for our use, as I discuss later.) And to be clear, currently ONLY CF2025 supports Java 21. (And with Java 24 coming out in Mar 2025 as the latest LTS or "long-term support" Java releases, note that NO CF version currently supports that.)

So in this post, I offer a table that clarifies things, listing the various recent CF versions (even those no longer supported) and what (LTS) Java versions they supported, including if some CF update of a version changes the Java version supported.

[....Continue Reading....]

Here's great news for those still running CF2018 or earlier, who may have been holding off upgrading to CF2023 (because you would have to pay full price for it). It's news I first shared back in July, and the deal has been extended one last time, thus this post.

TLDR; Now through Feb 28, 2025 those running CF9, 10, 11, 2016 or 2018 can upgrade to CF2023 for 25% off its full price. (Those running CF2021 can already/always could upgrade at 50% off the full price.)

This is a deal offered only by Intergral, makers of FusionReactor, who are also resellers of CF. Adobe doesn't even offer this deal themselves. For more, see their blog post at https://fusion-reactor.com/blog/news/save-25-on-adobe-cf2023-upgrades/.

Act now, it could save you hundreds or even thousands of $$s on a single license! For more, read on.

[....Continue Reading....]

Are you still running ColdFusion 2021? While it's still supported/updated by Adobe, did you know that its end of life is coming just several months from now, Nov 10, 2025? That's the date when "core" support for that release ends--meaning no more updates from Adobe after that, not even security fixes.

What about more recent releases, if you may wonder? CF 2023 (the current latest release) will get updates into 2028 (5 years after it was release). And there's the coming CF 2025 release, currently in pre-release (as I have recently blogged about), which is of course a great sign for the continued vitality of CF.

But this looming deadline for CF2021 is a reminder that as the years roll on, we not only get new versions but we must say good-bye to old ones.

Wondering what you can do? or when CF2023 or CF2025 support will end also? And what's the difference between "core" support and the available "extended" support which Adobe sells? (The extended support plan does NOT provide updates beyond this coming November.) For more on these, including official Adobe documentation that discusses such things, as well as my thoughts on migration, costs, various options to consider, and more, do read on.

• The various core support end dates for CF releases
• What can you do at this point?
• "But I can buy 'extended support' and still get updates into 2026, right?" That answer is NO
• "Do I really need to worry about no longer getting CF updates for CF2021 once 'support' stops?"
• Downloading CF2023, in case you may want to try it
• The bottom line

[....Continue Reading....]

An update for ColdFusion has been released today for both cf2023 (update 12) and cf2021 (update 18). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update (CVSS Base Score of 7.4 out of 10).

In this post, I share the details about the update (from Adobe and from others, including pointing to some discussions I've already started online about the update). Note also that while you may read that the update is related to the CF PMT feature, beware presuming it therefore "doesn't apply to you" because you "don't use it". See the next section for more.

Of course, this is terrible timing for an update, but it is what it is. I can report I have installed both updates on multiple machines and operating systems without incident. And I may do a follow-up post on the update as I/we all learn more.

For more details, read on.

[....Continue Reading....]

An update for ColdFusion has been released yesterday for both cf2023 (as update 11) and cf2021 (as update 17). In brief, the update has no security fixes, but it does fix dozens of issues that folks have stumbled over recently. It also upgrades some "OEM" libraries underlying CF, and it offers some modest enhancements.

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes introduced in those updates from March and June of this year.

For more details, read on.

[....Continue Reading....]

Though the news is a couple of days old, I want to share with my readers that an update for ColdFusion has been released Tuesday, Sep 10, for both cf2023 (update 10) and cf2021 (update 16). In brief, the "only" change is to address a security vulnerability, which is listed in the associated ASPB (security bulletin) for the update as a "critical" severity (CVSS Base Score of 9.8 out of 10)...though curiously that also lists it as being merely a "moderate" priority (3 out of 3).

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes in those updates from March and June of this year.

And there's still more to consider. Note that if somehow "it's all too much" for you, I can help directly and likely VERY quickly. See my discussion at the bottom here. Otherwise, for the details, read on.

[....Continue Reading....]

If you've recently applied CF2021 update 15 or are planning to, you need to be aware of a known issue which can cause unexpected removal of some CF packages (modules) which occurs upon the CF restart after installing the update: specifically it's the document, htmltopdf, pdf, presentation, print, and report modules. The good news is that these are easily added back, either using the CF Admin or via the cfpm command-line tool (added in CF2021).

In this post, I discuss this issue, those options for adding them back, and I also share how I'd found the underlying root cause of the problem: the update has a mistaken internal indication that these packages were updated in this update, when they were not. I'm hoping that Adobe may soon be fixing the problem by creating a new update file, to at least benefit those doing this update going forward. I'll share also the bug report for that (and another on a related matter, about installing multiple packages via cfpm).

TLDR

If you just want to "solve the problem" caused in applying this update 15, simply go into the CF Admin and its "Package Manager" page, go to its "Available Packages" section, and click each of those to install them. (Couldn't you also click the "Install All" button offered there? Yes, but there are reasons to be careful about that. Couldn't you use the cfpm tool? Again, yes. I will address both these points and more, below.)

[....Continue Reading....]

An update for ColdFusion has been released today for both cf2023 as update 9 and and cf2021 as update 15. In brief, the only change is an update to Tomcat, which underlies traditional CF installations (whether implemented with the ColdFusion installer or zip extraction process). I'll have more to share on the Tomcat aspects of the update below.

[UPDATE since original posting: it's turned out that there's a bug in update 15 of cf2021--which is NOT affecting cf2023 update 9--that causes unexpected remove of 5 packages. There's now a new "known issues" section at the top of update 15's technote discussing the matter, only briefly. The simple solution is to add back the missing packages. For more on the original discovery, see comments below starting Aug 23,three days after this post and the updates release. For more on the root cause and other more automated solutions, see my comments below those, as well as a subsequent post I created. Now, back to my original post's contents.]

In addition, before applying the update note that there are two other things to beware--related to recent previous CF updates, and that whether you are currently running the immediately preceding update (from June) or the one from March or earlier.

[....Continue Reading....]

If you're considering or have already implemented the latest CF updates from June 2024 (CF2023 update 8 and CF2021 update 14), you might have struggled a bit to understand completely what Adobe was getting at in the update technotes, as they can sometimes be rather terse in covering some points (worse, some folks don't even read the technotes before applying the updates). Briefly, a key aspect of the update changes the default algorithm that CF uses--for code that does not specify one, in several CF functions, related to encryption, hashing, or randomization.

As another case where Adobe is opting to sacrifice compatibility for security, the update changes from using the very old default of CFMX_COMPAT (as the default) to using either of a couple different alternatives, depending on the function. And if you're not careful/paying attention, you could break some critical part of your app by applying this update.

TLDR; In this post, I want to share a bit more to help you understand the impact of this update (which I blogged about in June), whether you're a developer or an administrator--and whether you've applied or not yet applied the update. Even if you HAVE done it and "all seems well" (in test or even in prod), do beware there may be nasty problems waiting to bite you that could take time to crop up. I'll explain the issues, and help you find the code using these functions, then help you determine if that code is or IS NOT affected by this change. I'll also discuss some real-world scenarios and challenges, with solutions.

Finally, I'll explain an available JVM arg (-Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE) that can be used to revert this behavior, for those who may feel they need to sacrifice security for compatibility, so as to get to this June update and take their time to address this change in the encryption default. I also explain how the CFMX_COMPAT algorithm DOES still remain available as an option, despite what some have asserted, which may be an acceptable option to use. Then I wrap up with some thoughts on how it may not be so bad that I'm only getting this post out a few weeks after the June update.

For more, read on.

[....Continue Reading....]