[Looking for Charlie's main web site?]

ColdFusion March 2023 emergency update, and what to do about it

If you've not heard, a new update has been released (March 14, 2023) for ColdFusion 2021 and 2018. Despite what you may hear, this is an URGENT (rated "Priority 1" by Adobe) update that everyone should apply ASAP, for reasons I will explain in this post. In fact, Hackernews reported yesterday (Mar 16) that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had issued an urgent warning about this, giving federal agencies a deadline to apply the update.

TLDR; For some folks, the above may be all you need to hear: you may be dropping your coffee and donuts now to get the update applied. Still others will see this "huge post" and think, "crap, I don't have time for this". For you, skip to the bottom and its "concluding key points". You can then decide what you think you do or don't "need to know" and pick and choose from the sections as you like.

Finally, for those who prefer because of the importance of all this to be led more carefully through understanding things (in a way that's worked for the many people I have helped so far this week, and is far more than either Adobe or Hackernews has shared), please do read on.

[....Continue Reading....]

The 100 most interesting posts on the Adobe ColdFusion blog, the past 3 years

Note: This blog post is from 2017. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
The Adobe ColdFusion team blog often has really some interesting content, but I find that some people are either not aware of the blog or just don't keep up on it, or perhaps they have trouble finding something they saw before or maybe heard was there.

So here I present what I feel are the 100 (technically, 105) most interesting/useful posts made there over the past 3 years (2014-16), offering information about CF and CFML which should be valuable to readers for years to come.

[....Continue Reading....]

The ColdFusion 'metrics log', an oft-missed or misunderstood feature, 'new' since CF10 (Part 1)

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
I'd like to take a diversion from my recent posts focused on CF2016 and talk about something that applies (and should interest) anyone using CF 10, 11, or 2016.

Have you heard of the new "metrics log" option that was enabled in CF10? If you have not, it's worth knowing about (there's precious little documentation, and I'll point to it, and give you still more info to help you use it). It's a useful, low-impact mechanism to get some high-level metrics logged by CF every 60 seconds (by default), and stored along with other CF logs.

If you did know about it, you've probably had some problems with it. Why does it show "nulls"? What do reported metrics really mean? Why do they not jive with what I'd expect to be the numbers reported?

In this post, and a Part 2 to come, I will introduce the metrics log, pointing out some key things you need to know to have it setup to work at all, and then I'll share my observations of things I've come to understand about the reported metrics.

[....Continue Reading....]

ColdFusion 2016: Changes in the CF Administrator

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
As folks continue to explore ColdFusion (2016 Release), aka CF2016, regarding what's new or changed, I thought I'd put together a listing of what has changed in the CF Admin specifically. This is another in a series of posts I started last week on CF2016.

[....Continue Reading....]

Released today: CF2016, or 'ColdFusion (2016 release)'. What's new, and more

Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you're not following the Adobe CF team blog, you may have missed the announcement there today of the newest version of CF, ColdFusion 2016. More on the name in a moment.

And while that Adobe blog post mentions a few of the main new features, as is nearly always the case it leaves out many other new features which may interest folks. It also doesn't point to resources to learn more. I do those things here in this post.

[....Continue Reading....]

Monitoring ColdFusion web server connectors, more on Tomcat 'Status Workers'

Note: This blog post is from 2015. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you're running CF 10 or above, there was a very interesting post on the Adobe CF blog, from July 19 2015, entitled, Configuring Status Worker in Connectors. The Adobe blog post title may not have caught your attention, but it's about setting up a lightweight and built-in Tomcat monitoring feature for observing the status of the Tomcat web server connector.

You may want to consider enabling it, but I would add some caveats and observations that I share below. Note that it's really quite easy to enable, and DOES NOT require a restart of CF (only of your web server, or technically in IIS, a recycling of the application pool/s--a web site restart is not enough) to take effect.

[....Continue Reading....]

CF911: Help, How do I connect sites to a new instance w/ the ColdFusion 10/11 webserver config tool?

Note: This blog post is from 2015. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
This one causes a lot of heartburn for folks: you add a new instance in CF10 or 11 (in editions other than Standard, which do support adding instances), and you find that you can't seem to have the web server configuration tool (wsconfig) connect sites to that new instance(s). You never see the new instance listed in the UI of the wsconfig tool. What gives?

The solution is relatively easy, and the problem could maybe be fixed (or at least warned about) by Adobe (and I just filed a bug report for it). Until that happens, I wanted to share this. For more, read on.

[....Continue Reading....]

ColdFusion Lockdown/Security guides: there are several, and some you may have missed

Note: This blog post is from 2014. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
While helping people with various problems in my CF server troubleshooting services, I often have the chance to help people identify security vulnerabilities, especially in their configuration of CF and/or their web server, and sometimes related to their code.

I was wanting to point out to someone the various ColdFusion security resources, and while I have a category on them in my CF411 site, I thought this was a list worth pulling out into its own blog entry and expanding a bit.

You may be surprised to find that there are more to CF security guidelines than just the venerable server "lockdown guide" (for those administering and configuring CF, the OS, and the web server, among other things).

Did you know that there have been "developer security guidelines" as well, focused instead on coding? This latter guide has gone through three iterations, including just recently, as I'll discuss along with the lockdown guides, below.

[....Continue Reading....]

CF911: Why/when you MUST update the web server connector for ColdFusion 10/11 and may have missed it

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
Have you installed or updated CF10 (or 11) and found that you still have problems with it running right, even when you have "fully updated" CF10? In this blog entry, I explain how it may NOT be that "CF 10 is broken" but rather that you may have missed an important step when updating it.

In brief, a VERY common problem is that while they MAY WELL have applied the provided "updates" for CF, folks often do NOT notice that they may have to (and generally must) "update" the web server "connector" (if they are using an external web server, like IIS or Apache) as a separate manual step, after applying the update.

I explain here what that means, how do to it, and why you may miss that you need to.

Update in 2019:

Since writing this entry, I did one in 2019 on When and how to upgrade CF web server connector, easier since CF2016, which at least makes it EASIER to upgrade, though much of what I write here still applies. I also updated this post since originally writing it, in ways discussed below.

(Or if you'd rather just have me help you quickly help you analyze and rectify your situation, whether with regard to the connectors or any other CF server troubleshooting, I can do that in a brief consulting session, likely less than an hour, remotely and securely. I provide all the detail here for those who prefer to "go it on their own". For more on my consulting services, including rates, approach, satisfaction guarantee, and more, see the consulting page at carehart.org.)

[....Continue Reading....]

Setting up ColdFusion to process html or other file extensions

Note: This blog post is from 2011. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
As a follow-on to my last entry, Setting up CFBuilder to process htm files with the ColdFusion editor, I wanted to offer more info for those who may want to know more about this--or ensure that more is shared with any who would consider doing this.

If you're looking for how to configure CFBuilder to open htm files with the CFML editor, see that other entry. This one instead is about the related idea of having CF (the server) process htm (or other) file extensions. There are certainly pros and cons.

[....Continue Reading....]

Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting