New updates for Coldfusion 11, 10, and 9 (security update for 9, 11; still more for 10)

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

As for CF11 and CF9, it's mainly a security update. For CF10, it's got quite a bit more. (And there is another update for CF11 to come in the future which Adobe mentioned when it came out with its first update last month.)

For more on each, see below.

Adobe has also posted a blog entry about the update, and if you have questions or concerns about it (that should be seen by them), it would be best to raise them there, as they may not see them here. I welcome comments otherwise, of course.

ColdFusion 11 Update 2

So as for this update 2 for CF11, it's a security update. From the security bulletin (which applies to 11, 10, and 9), "these hotfixes address a security permissions issue that could be exploited by an unauthenticated local user to bypass IP address access control restrictions applied to the ColdFusion Administrator. Cross-site scripting and cross-site request forgery vulnerabilities are also addressed in the hotfixes."

And to be clear, this is the 2nd update for ColdFusion 11. I find when working with some people running CF11 that they have not noticed there are new updates. (Of course, the update tool in the CF Admin should point it out, assuming the server is connected to the internet. but even then some do not notice the indicator of a new update.)

And as for the first update to CF11, the Adobe CF blog did indeed mention it when the first CF11 update came out, in September.

You can learn about CF11 update 2 in this technote (and of course, in the Server Updates feature of the CF Admin).

And let me warn you that if you have not yet applied update 1, then after applying update 2 it's critical that you rebuild the web server connector if using IIS. The technote warns you, but many miss that. I discuss the concept in more detail in 2 blog entries I did (related to CF10, but still useful). See more in the 2nd paragraph of the next section. (To be clear, you do NOT need to update the connector after this update 2, if you had already done that after update 1. This paragraph is talking to those who either did not yet do update 1, or did not update the connector after applying update 1.)

Similarly, if you may be new to applying updates in CF11 (and maybe never did them in CF10), there's a great resource from an Adobe engineer from a couple of years ago that's a great 50-question FAQ on the feature. See more on that in the last paragraph of the next section.

ColdFusion 10 Update 14

As for CF 10, this is update 14 and again you can find a link to it in the CF 10 Admin's Server Updates feature. Still, there is a technote for CF10 update 14, which of course is linked to from the update as shown in the CF admin server updates feature. Many never read those, which is a shame.

Update: Before you may proceed to apply update 14, while I have some substantial comments you'll want to consider below, let me note first that since I came out with my blog entry here, Adobe has created two new blog entries dealing with problems some folks have had related to update 14:

• Resolving "500 Internal Server Error" with ColdFusion 10 Update 14, which addresses a fix to seeming IIS connector problems that are due to a need to get Visual C++ Runtime 2012 (not everyone will need this)
• ColdFusion 10 support with Java 8, about a change you need to make if you use web services with CF10 and plan to have CF run with Java 8 after update 14

Again, not everyone will applying update 14 will need to deal with these, but I wanted to make sure my readers here knew of them as they considered applying the update.

Note that the technote tells you that this is another update where you MUST rebuild the web server connector after applying the update. The update page in the server updates feature will also warn you, but many miss that. I discuss the whole notion of updating the web server connector in more detail in 2 blog entries I did related to update 12, starting at CF911: Why/when you MUST update the web server connector for #ColdFusion 10, and may have missed it. After applying update 14, the date of the connector (isapi_redirect.dll, for IIS, for example) would be Oct 9 2014 (the date that new DLL was created by Adobe, not the date you rebuilt the connector). Again, see my blog entries for more info.

And Update 14 is quite a bit more than just the just the security update (mentioned elsewhere here for CF 11 and CF9). This update includes:

• Tomcat upgrade to 7.0.54
• Tomcat connector upgrade to 1.2.40
• Support for JDK 8
• Support for Apache HTTP server 2.4.x (up to 2.4.9)
• Fixes for vulnerabilities mentioned in the security bulletin APSB14-23
• Several important bug fixes in AJAX, Database, Net Protocols and other areas

Note that it also includes the security fixes discussed above in the CF11 section. And while that list does list some interesting things, I'll note that it does not list ALL that you may be interested to know has been updated in CF10 update 14.

First, the list above comes from the technote for CF10 update 14. And note that it links also to a document listing the 50+ bug fixes. (I do wish they'd list the update number in the URL for a document like that. What if a future update also had bug fixes and a similar document was needed?)

Note also that despite the reference to that second document as "bug fixes", it does mention changes that are really updates, like an update to the Postgres driver, and more. (I'd missed that when I first posted this entry. A comment from a reader led me to notice that.)

Sadly, because the wording is the title of the bug report as users wrote them, we can't always tell from them what was actually changed. For instance, the bug report about Postgres requests that it be updated to 9.3. It's not clear from it what version they finally updated to (there are no notes on the bug report added from Adobe).

I did some digging and find in the updated files list ([ColdFusion10]\cfusion\hf-updates\hf-10-00014\hotfix_filelist.log) that it DID add postgresql-9.3-1101.jdbc41.jar and removed postgresql-8.3-604.jdbc3.jar. I also see an update to mysql-connector-java-commercial-5.1.17-bin.jar (though curiously, no removal of another mysql jar).

I also see in the bug list references to several updates related to problems folks have had using the CF admin, problems with JSON, and a pernicious bug that has hurt some people using implicit getters and setters in CFCs.

Anyway, you'll want to look over the list of "bug fixes" carefully to see if there are any other changes that may affect you.

And I'm sure some will (reasonably) complain, "hey, why aren't these added for CF11?" The good news is that Adobe has said that they will be doing another update for CF11 soon (see an update in the entry on Update 1), and I'm sure it will included these things and much more (especially bug fixes for 11). I suspect there's just a lot more for them to add so it's taking more time to test.

And FWIW, it's been a while since we've had one (the last being update 13, which was technically only had anything new for OS X users, as I discussed in a blog entry at the time.)

Let me also point out that if you face any challenges using the CF10 server update feature, there is a a great resource (written a couple of years ago by an Adobe engineer), ColdFusion 10 Hotfix Installation Guide, which is basically a 50-question FAQ about some issues folks may face when applying CF10 updates. Much (but not all) of it would apply to CF11 as well.

ColdFusion 9 Security Update

As for CF9, the update is primarily a security-related hotfix.

You can learn more in the security bulletin (APSB14-13), and I had mentioned above in the CF11 section what the security features of the new update were about.

There are different steps and download files depending on your specific version of CF9, as well as depending on whether you had or had not applied the immediately preceding security update (APSB13-27).

For more on the steps and the downloads, see the technote for APSB14-23.

Do be aware, though, that if this may be your first application of a security hotfix in CF9, note that they are cumulative and you may get new ones implemented that could impact your server. I discussed how you can learn more about this problem in a blog entry I did last year: CF911: New Adobe document about ColdFusion security hotfixes: required reading, I'd say.

FWIW, I'll note that as for the "number" (of the jar) for the update, that also depends on you're specific version of CF 9. If running CF 9.0.2, it's hf902-00007.jar. If CF 9.0.1, it's hf901-00012.jar. If CF 9.0.0, it's hf900-00013.jar.

Finally, if you're going to be updating CF9, please see my blog entry warning of some gotchas to be careful about, Applying hotfixes to #ColdFusion 9 and earlier? A guide to getting it right.

More Help with Applying CF Updates

As you can perhaps tell from all my tips above, I have helped people solve many problems related to applying updates, whether to CF 8, 9, 10, or 11, in my CF Server troubleshooting consulting services.

I pulled together many of the tips, tricks, and traps in a talk I did, Updating/Hotfixing #ColdFusion 11, 10, 9 and 8: Tips and Traps.

Hope all that's helpful. If you have questions or comments, fire away. If you want guided assistance in applying (or considering) the hotfixes, reach out to me. I help people with this stuff every day.

For more content like this from Charlie Arehart:

• Signup to get his blog posts by email:
• Follow his blog RSS feed
• View the rest of his blog posts
• View his blog posts on the Adobe CF portal

Need more help with problems?

• If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
• See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed