Security updates released for ColdFusion 2021 and 2023, Nov 14 2023
If you apply the update using the CF Admin and then find that CF starts but the Admin and your code fail, I cover that also, in the second section below.
For more, read on.
If you apply the update using the CF Admin and then find that CF starts but the Admin and your code fail, I cover that also, in the second section below.
For more, read on.
TLDR; If you've configured either CF2021's java home to use Java 11.0.20 or later, or CF2023's java home to use 17.0.8 or later, you may find that applying CF updates ia the Admin will fail. You can apply the update via the command line, adding a needed new -Djdk.util.zip.disableZip64ExtraFieldValidation=true JVM arg (BEFORE the -jar arg) in the java -jar ... command, as I discuss more in the 5th bullet point below. (If I've lost you with that simple suggested, read the rest here. And all may benefit reading what precedes that suggestion, for context. I also offer other suggestions and info.)
There are in fact many tools which can help with this task, some of which will be familiar to those on *nix systems, but Windows users who've been around a while (or who learned from such folks) may try to rely on the good ol' telnet command (as in telnet
In this post, I want to show a couple of command-line alternatives which can do the job easily, one best suited for powershell users (Test-NetConnection), and and two of which would suit those who prefer the command line (cmd) and which are now built-into Windows (the past few years): ssh and curl. No, this is not their primary job but they will suit for this task and it may surprise some to learn they're even built-in options. I'll conclude with still other options available to those on *nix environments (who of course can also use ssh and curl), especially nc (netcat).
For more resources as well as some additional thoughts on the updates (including what security matter it entails as well as some lessons learned in applying the update--especially if you may update your Java to the JVM released last month), read on.
The recording has been posted.
Also, I have updated the PDF, since giving the talk (Fri Jul 28). I not only corrected a couple of typos and improved some wording and organization, but I also have added some new links and content.
Both those links are offered on my presentations page, where I offer info and links for every one of my nearly 170 CF talks over the past 25 years--most of which I daresay would still be useful to many even today.
I want to draw special attention to the one "new improvement" and one "new feature". (In my posts on past FR updates, I sometimes don't do much more than list the simple bullet points offered in the FR release notes.) See the elaboration on these two things below.
For more on the update, as well as help on installing such FR updates, read on.
It's been on my site as my "CFUpdate" page (linked to from my old-school top-level nav bar), and I've kept the page updated. [Hey, updating my meta resource on updates. That's SO meta!]
But I suspect a lot of people may never find it for one reason or another, so I wanted to offer a link to it here.
Check it out, and I welcome comments or feedback here.
I'll be offering my traditional "Hidden Gems in ColdFusion 2023" talk.
And see the conference web site for other speakers and their Summit sessions (with more to come).
Besides just being a great conference (in terms of content as well as meeting fellow attendees, Adobe folks, and vendors), which is being offered in-person only and at a VERY reasonable price of only US$199, the Summit is also a great chance for folks to pursue Adobe CF Certification (offered both online and in a separate one-day workshop the day after the conference, Oct 4, for just $100 more).
Note also that qualified students can attend the Summit for free. That's a great nod to Adobe supporting CF in higher education and among emerging developers.
You will find that you can no longer INSTALL CF updates via the CF admin, if CF is using this new Java version. And even if the CF update is run from the command line, if using this newer Java version that also will fail. In either case, there is a new JVM argument that solved the problem, as I discuss below.
This is happening in CF2023, 2021, and 2018. (And this may continue to happen with future JVM updates, until Adobe otherwise addresses the problem.)
As an update, when I first created this post on Jul 21, another problem was that you would find that you could no longer use the CF Administrator to download CF updates, if CF was runnign this new Java version. You would get an error reporting, "Failed Signature verification"--or in some cases you may see only "error failed". But within a couple of weeks, I found that the CF Admin COULD now download updates (including the August 2023 CF update) but the CF update STILL fails to install correctly, as discussed in this post, unless the workaround offered is used.
FWIW, Adobe has also updated the technotes for CF2021 update 10 and CF2023 update 4 with a text box at the top that acknowledges this issue and points to this post for more detail.
In this post, I explain a) what this is all about, then b) how you can fix the problem of INSTALLING the update using the CF Admin, I'll explain how it seems we HAVE to workaround that problem (for now). I also offer a link to a bug report I've filed. I even offer a thought on how this new JVM update may prove over time to affect MORE than just this, and even MORE than just CF (and Lucee) but many java apps. Read on for more.
Yes, this is shocking. Yes, unless there's a good explanation, I can understand how many would feel "someone on the CF team should be flogged". Don't shoot me: I'm just the messenger. I don't work for Adobe.
But I will add that in this post, besides just sharing news about the update (and more than JUST pointing to the update), I also offer an ADDITIONAL "fix" some will want to consider, to go BEYOND what this update addresses. See the discussion on "blocking the _cfclient query string".
Read on for more, where I cover: