Charlie Arehart's CFupdate meta resource

Welcome to this list of resources related to updating CF, the CF web server connector, and Java, as well as the PMT, FusionReactor, CFBuilder, and other related features of interest to CFML developers. It represents my years of working with folks on such matters, and shares resources from Adobe, myself, and others--and I will try to keep this relatively up-to-date.
(Last Updated: Jan 31, 2025)

See below for additional info (links/tips/traps) on:

Info related to updating CF and related things (links/tips/traps)

  • Updating ColdFusion:

    (Note: This update process should not be confused with upgrading from one major version of CF to another. That's discussed later here.)

    Since CF10, the CF Admin has offered a page showing available updates. Updates are always cumulative: you need not apply ones you've skipped, as their changes will be incorporated into the update you apply. That said, it is important that you read the update technote about any updates you do apply or skip; otherwise, you may get "bit" by some change that was indeed documented in a previous update technote.

    Adobe offers a page listing all the updates for each CF version, with a link to the technotes and downloadable updates (for those preferring or needing to apply a CF update manually, as discussed in each technote):
    Note also that Adobe offers an "update release notes" page for each CF version, which highlights the key changes among the various updates of that version, for each of CF2023, CF2021, CF2018, and CF2016.

    In case you may hit errors trying to apply updates, see the section below on Resources to help in applying such updates. As always, I can help with applying any of these updates.

    Before leaving this topic, some may be interested to know how they could be kept informed that there ARE available CF updates. I plan to do a blog post on that, but until then note that besides them showing up in the CF Admin itself, Adobe offers an email notification service about SECURITY updates, and as does Pete Freitag via his HackMyCF service. And I try to do a blog post announcing each update to CF or Java.

  • Updating the CF web server connector (wsconfig):

    After updating CF, note that most CF updates also off an updated web server connector, and it's often critical to apply that connector update, if the CF update we are implementing (or any we are skipping) updated the connector. (For instance, this was especially true as of the March 2020 updates to CF2018 and CF2016. I had a blog post explaining this, from that timeframe.)

    Some great news is that in CF2016 and above, the CF update technotes end with a table indicating which previous updates did require a connector update. If that table may be missing, it's incumbent on YOU to review both the technote of the update you are applying AND ANY YOU ARE SKIPPING, to identify if there is a need to update the web server connector. Sadly, there is currently no single page indicating all the CF updates which do require such an update. I may add that here at some point.

    Finally, as for upgrading the connector, some great news for those on CF2016 and above is that Adobe has simplified the process, offering an "upgrade" button in the wsconfig UI, which will indeed upgrade the connector for any site selected. This puts the latest connector file--the .dll file for IIS, or .so file for Apache--into place and offers to restart the web server. I have a blog post with more on this easier upgrade process.

    Prior to CF2016, the process instead requires REMOVING and then re-ADDING the connector. (And FWIW, back in 2013 I had offered a blog post with substantial detail on the process: CF911: Why/when you MUST update the web server connector for ColdFusion 10/11 and may have missed it, as well as Still more reasons to make sure you have updated your ColdFusion 10 web server connector.)

    I will warn that many have ignored this need to keep their connector up to date, to their peril--in terms of bugs, poor performance, hanging connector connections, and more.

    Again, I can help with this.

  • Updating the Java underlying CF:

    After taking care of updating CF and updating the CF web server connector as discussed above, the next most important thing for most folks is updating the JVM that CF uses. Since Java is updated about quarterly by Oracle and often has security fixes, it's important to keep updated. (To be clear, CF updates typically do NOT update the Java underlying CF. Only new CF installers do that, though not always. Also, Adobe currently supports use only of Oracle Java, and some will want to hear that Adobe licenses Oracle Java for our use of it with CF.)

    As for updating CF to use a newer Java version can be a fairly easy process, taking just a few minutes (and a CF restart), if you are comfortable with the process. It may take longer your first time or if you don't do it often. You do need to be careful, and I can help if you'd like to get it done quickly and safely. But here are details for those who want to do it on their own:
    1. First, as for what version of Java you can/should be using for your CF version, that depends both on the CF version and your CF update level. This has been covered in various blog posts from Adobe, myself, and others over the years. And I created a post in 2021 with a helpful table I created of CF vs Java versions that Adobe supports, and I have tried to keep that updated.
    2. As for getting java updates, note that Adobe now offers downloads for the latest Java updates that it supports, for supported CF versions and across all supported OSs and supported Java versions. This is on the CF-related downloads site, in a page for Java installers. (Normally that page is updated within days of the release by Oracle of a new Java version.)

      FWIW, Oracle also offers the latest updates for Java here (including Java 8, 11 and above), for those who have an Oracle account. Note that the most recent LTS releases are at the top of the page, while older LTS releases are further down the page. Oracle offers yet another page with "archives" of previous versions here, including all but the most recent updates for Java 8, 11, 17, and 21 (the current LTS versions as I write), and also much older/no-longer supported Java versions as well.
    3. As for the process of updating the Java that CF uses, that too has been covered by many over the years (sometimes in scant detail, leading to trouble, or not updated in many years). Perhaps the simplest thing for many is to watch a brief video created by Pete Freitag. Though it's from CF2018, teh concepts still apply for later versions. I also did a more extended presentation on the topic in 2024 (and originally in 2021), Updating the Java underlying ColdFusion which was recorded and is also offered on youtube.

      (Note that you COULD install the updated Java into CF's built-in JRE folder, at [coldfusion]\jre, but if you instead install it to another folder, you can point CF at that folder. This leaves the original CF jre folder as a safe haven you can revert to if necessary. This is discussed in the previous resources.)

      Note that if you may be using Commandbox, it's very easy to update the Java underlying that (and even allow it to keep your Java automatically updated). See the docs page on that.

      As for updating the JVM used by Lucee (when not running it on Commandbox), that can be more complicated: it depends on how you implemented Lucee (via its installer, or by deploying it as a WAR atop Tomcat or another JEE server, etc). I've not found any good single Lucee doc that explains things (finding instead various ones that seem pretty dated). Since most people seem to run Lucee atop Tomcat, you can look into general Tomcat resources about how to configure the JVM it uses (via Tomcat bat/sh or env files). Just note that if you running Tomcat on Windows and as a service, then instead of editing those files you would use use the Tomcat Service config editor, which for Lucee defaults to being called luceew.exe and for Tomcat may be called tomcatw.exe, or tomcat9w.exe, etc. That offers a UI with a "Java" tab where you can control the JVM location, JVM args, and more.

      Finally, FWIW, if you may attempt the JVM update on your own, I address several key problems one could encounter, and how to fix them, in this 2014 post which is just as useful now, CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'.
    4. As for planning for JVM updates, note that Oracle releases them quarterly. The scheduled date of the next 4 updates is listed on the release notes of each update.

      I also try to write blog posts about each JVM update, where I highlight key points in recent updates in case you may be skipping to the latest only now.
    5. Finally, in Jan 2024 I created a post pulling together into one post some comments and suggestions I'd previously offered in each post about considering JVM updates: Several things to consider when applying JVM updates.

    But again, if you're just interested to "get it done" (updating the Java underlying CF or Lucee, quickly and safely), I can help with this.

  • Updating the ColdFusion PMT:

    The ColdFusion Performance Monitoring Toolset (PMT), added in CF2018, also has updates occasionally. In CF2018, one had to apply the updates manually. I have a blog post with more on that.

    As of CF2021, a new "update" section has been added to the PMT UI, working just like the update mechanism in the CF Admin (since CF10).

    Again, I can help with this.

  • Updating ColdFusion Builder:

    Since mid-2022, there are now two different version of ColdFusion Builder, with the new one being based on the popular VSCode editor, and is available now as a free extension from Adobe. The older legacy CFBuilder (from CF8 to 2018) was built atop Eclipse, and is no longer supported or updated.

    As for the new VSCode-based CFBuilder, like any VSCode extension, the UI will notify you when there are updates, and you can choose to install the update or not. (The extension page will also inform you of the current version, as will the extension page within VSCode.)
    As for the older legacy version of CFBuilder, again it is no longer updated since 2020, but for any still running it, note that it was able to be updated from within Builder itself. Unlike CF, there is no single page listing all ColdFusion Builder 2016 updates. Here were the most recent updates (as of late 2020):
    Again, I can help with this.

  • Updating FusionReactor:

    FusionReactor (the monitor for CF, Lucee, and other Java apps) can be updated either via its UI or by just dropping in a new jar (f you installed FR manually) I did a blog post covering both approaches. Updates can be found at the FR downloads page. The FR installer can be run in-place over a previous FR version.

    And you can find a list of feature changes for each update within a given version in the FR release notes page.

    Again, I can help with this.

  • Updating Lucee:

    While not a feature of CF, I'll note here that Lucee updates can be applied from within the Lucee Admin, or using the Lucee Core file, which can be found on the Lucee downloads page and copied to the "patches" folder of your existing Lucee installation.

    If you have any problems applying Lucee updates, the Lucee community and team are available to help, as am I.

  • Updating the Tomcat underlying CF:

    Sometimes people will want or hear about a need to "update the Tomcat which underlies CF". Perhaps someone will run a security scan reporting it's vulnerable/out of date.

    Before addressing whether and how one may do that, it's important to clarify that most folks deploy CF via traditional "server" (or using Adobe's containers or perhaps the new "zip" form of deployment). For those deploying CF that way, changing that Tomcat is NOT supported by Adobe nor is it recommended that you even try. Many have found it to fail--and it at least could lead to unexpected behavior.

    If, on the other hand, one were to deploy Tomcat themselves, and then use CF's ability to create a WAR or EAR file to deploy upon Tomcat, THEN one could update the Tomcat underlying that. Again, though, that's not at all a common way that CF is deployed.

    I'll add as well that those running CF on Commandbox are also not running CF atop Tomcat. Instead, Commandbox actually implements CF as a WAR file running atop Undertow, which is a servlet container different from Tomcat. (All that's done under the covers such that most are unaware.) As such, Commandbox users never need concern themselves with Tomcat update or vulnerability issues.

    As for those running CF in that first, more traditional form of deployment, note first that it may be that the severity of a Tomcat vuln is not so grave, or there may be a workaround. Indeed, sometimes a given vuln may not actually apply with regard to how CF runs.

    For instance, the issue may have to do with the ability to manipulate a request sent to Tomcat's web server (Coyote), which is embedded within Tomcat (along with a servlet container, Catalina). But most public CF deployments would be fronted by a web server like Apache or IIS, which then proxy requests to Tomcat via AJP. Out of the box, only the CF Admin is served via that actual Tomcat web server (at port 8500, by default). As such, vulns regarding Coyote would not typically be expected to be allowed (from outside) against that, as most firewalls would block incoming access to a non-standard port like 8500.

    The bottom line (for those impacted) is this: when Adobe is behind in keeping updated that Tomcat underlying CF, all we can usually do is wait. Or perhaps you can request a temporary exclusion from those demanding it be upgrade, based on the clarifications here (as you simply cannot do it yourself).
So the above has been about updating things related to CF. Now let's turn to the notion of upgrading things.

Understanding the difference between upgrading vs updating

I distinguish "updating" from "upgrading", with the former being about point-release changes within a given version, while the latter is about changing from one major version to another (like CF2021 to CF2023, or Java 11 to 17).

1) When it comes to upgrading CF versions (migrating from one full version to another), there are of course typically many new and changed features, and a greater chance of breaking changes--though Adobe does strive to maintain backward compatibility more than many vendors (for better or worse, in the eyes of some).

As for assistance in performing such an upgrade or migration, Adobe does provide release notes with each new release, and the docs often have pages helping with new features, changed features, and even deprecated features. There is also the "code compatibility analyzer" available in the CF Admin, where a newer CF release can be told to look at code and assess it for compatibility issues between a given CF version and that newer one. I can also assist with migration challenges on a consulting basis, as can others or the wider CF community.

2) When it comes to upgrading Java versions (again, changing from one major version to another, like Java 8 to 11, as was enabled per an update to CF2016 and 11), a factor of first importance for Adobe CF users is to make sure that the newer Java version you want to move to is one that Adobe supports. Again, I have a table discussing that.

And whether one is using CF or Lucee, something to beware when upgrading Java versions (such as Java 8 to 11, or 11 to 17) is that both engines have features that compile CF and other code on the fly and save it for later reuse, using the Java version in place at the time of that compilation. If you change to a newer version, you need to delete such compiled java classes (while CF or Lucee is stopped). In CF, this is referring to folders under your CF instance (cfusion or others), including stubs and then the wwwroot/WEB-INF and folders under it including cfclasses (not "classes)", cfc-skeletons, and rest-skeletons. If you'd rather not delete them, you could also move or rename the folders. CF will create them anew if no there on startup.

Finally, there may be need to perform other steps (related to CF) when upgrading Java from one major version to another--especially older Java versions like 8 or earlier, and especially on Windows, where some ms*.dll files may need to be moved from the new Java version's folders into CF's own folders. I discuss this in my resource, CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'. In fact, I have a number of resources related to doing updates, and I list those next.

Resources to help in applying updates to CF, the JVM, the web server connector, and more

Again, you may hit problems on doing any of the update above, or wonder about matters related to them. I have written various blog posts to help, presented in reverse chronological order (yes, even ones from 10 years ago or more can still be valuable):

Getting help in applying such updates, from Charlie Arehart

If you have not applied these various updates, this is something I can help with. Or you may try and experience a problem: while the updates CAN go easily enough for anyone to do, it can also just as likely fail--which can leave many people feeling dead in the water.

While I offer above the many resources to help, I can also directly help resolve such update problems quickly, via my remote online consulting. That page offers my rates, approach, satisfaction guarantee, and online calendar to find and select slots--even perhaps as early as today. My number is there also, if you may need to reach me outside the hours offered on that calendar.

I can make sure any such update is done well and quickly, generally in 15-30 minutes for each update (which includes making sure there are no failures in applying the update, as well as offering any guidance in considering and applying the update.)




Managed Hosting Services provided by
xByte cloud Hosting