[Looking for Charlie's main web site?]

Why you should think twice about leaving on the "public JRE" option of the Java JDK installer

This is a follow-up to a post I did in late 2014, CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'. In that post, I listed about a dozen common problems that befall people who try to update the JVM that CF is using (and it and this post apply as well to Lucee or BlueDragon, or indeed any Java application server).

In this post, I want to elaborate on one more common mistake. Well, mistake may be too strong word. It's about a default option when you run a Java JDK installer (see the other post for more on JDK vs JRE options).

In short, I make the case here for why you should NOT let the JDK installer implement its "public jre" option.

[....Continue Reading....]

How to solve common problems with applying ColdFusion updates (in 10 and above)

While ColdFusion 10 and later releases add a new automated update installation mechanism, what do you do if the update doesn't work? The answer may be simple on the surface, but not obvious to most. (And you'll likely be in panic mode.)

Many find after applying a ColdFusion update that either CF won't start at all, or they can't access the ColdFusion Admin, or some part of CF or their app doesn't work. The problem may be simply that there was an error in the update process CF did, and it may be rather easily confirmed and resolved.

In this post, I share several tips and observations to help resolve this, based on my years of providing remote CF troubleshooting support.

The TLDR version: check the ColdFusion update log (not logs in the normal CF "logs" folder. More detail below.) And if there are errors, try stopping CF yourself and then either try the update again, or if it still fails, try to manually apply the update from the command line. If that's enough to get you going, great--especially if you ARE in panic mode! (If the "problem" you need to solve, instead, is that you can't get CF to show you updates because you're behind a firewall preventing outbound internet access, I help with that also, toward the end.)

For most people, though, even those "simple things to do" can prove challenging (and understandably so). And you may find different resources on the web offering perhaps truncated discussions of the topics, which is why I elaborate on things in this post.

And even if you're in a panic, it may take only about 10 minutes to read this whole post. (You can also hire me to help instead, of course. See the link above.) Hope the info to follow is helpful for you.

[....Continue Reading....]

CF911: Help, How do I connect sites to a new instance w/ the ColdFusion 10/11 webserver config tool?

This one causes a lot of heartburn for folks: you add a new instance in CF10 or 11 (in editions other than Standard, which do support adding instances), and you find that you can't seem to have the web server configuration tool (wsconfig) connect sites to that new instance(s). You never see the new instance listed in the UI of the wsconfig tool. What gives?

The solution is relatively easy, and the problem could maybe be fixed (or at least warned about) by Adobe (and I just filed a bug report for it). Until that happens, I wanted to share this. For more, read on.

[....Continue Reading....]

Free, simple code to find out what SQL statements are running slow in SQL Server right now

Often when people are trying to troubleshoot seeming problems in ColdFusion (or whatever app server you use), they may wonder if (or have tools which suggest that) their CF requests are being held up waiting for some long-running query to run in the database.

Wouldn't it be nice to know, at any moment (such as when things are going badly), just what queries (or stored procedures or commands) were running in the database at that point in time?

Well here's good news: if you're running SQL Server, the following SQL query will show you just that: the currently running SQL statement(s) and some additional details about each query including their duration, their database name, the program executing the SQL, the session id, and much more.

(If you're running MYSQL, you may know that you can get pretty much the same info with SHOW PROCESSLIST. Or if you want to do it as SQL, you can use SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST WHERE COMMAND != 'Sleep'. Sadly, it's just not that simple in SQL Server, it seems, thus the need for this entry.)

The code for SQL Server

Following is the code, and then some discussion of it:

[....Continue Reading....]

Understanding SQL Server Statistics: A great, free, relatively brief ebook

If you want to understand the important concept of SQL Server statistics (a mechanism within SQL Server which tracks metadata about your data, and which can significantly affect query performance if not managed well), I think you can do no better than than to spend an hour or so reading the free 40-page e-book, SQL Server Statistics, written by Holger Schmeling and offered by Red-gate. book cover

The book is a quick read, and really well done, including a discussion of what statistics are, why they're important, how to diagnose trouble with them, and how to use the SSMS interface and/or SQL statements/commands to better understand them.

There are plenty of screenshots and it's written in a tutorial manner. And while it's from 2010 and covers only up to SQL Server 2008, most of the concepts apply just as well to SS 2012 and beyond, and of course many organizations are still running on SS 2008 or even earlier!

Most important, Schmeling explains why it's important that you take responsibility to both create and maintain statistics (rather than leave it as something that "the database" should handle. And if you are leaving it as something "the db should handle", you can use this to make sure that person is doing their job with respect to statistics.)

[....Continue Reading....]

Solving slow CF startup: my elaborating on an Adobe blog entry on a possible solution

The fine folks at the Adobe CF blog posted a blog entry today, on "Sometimes ColdFusion services refuse to start normally post server restart" (by Rahul Upadhyay), which offers some helpful information on one possible solution to the stated problem of slow CF startup.

That said, there are some concerns I have, with respect to how I fear some may read and take action based on it (especially the notion of deleting the cfclasses files, as a possible solution to the problem).

I'm not contradicting Rahul here, just elaborating on some points, as someone who (like some on the CF team) helps people with CF server troubleshooting every day.

I started to write these thoughts as a comment there, and (as often happens) it grew long so I thought it better to be a blog entry rather than a long comment, and point people here. Once I did that I decided to go further still, hoping to really help those interested to consider the issue more carefully. (It also gives me a chance to highlight again the Adobe CF team blog, something I recommend EVERYONE reading this should follow!)

One quick point (and update) for the TL;DR cloud: My recommendation is that you move the cfclasses folder out of that location, as a temporary test, to see if it makes CF startup happen faster. If it does, I explain why and what the implications are in the choices of renaming, deleting, moving, or disabling the related "save class files" feature. Also, I add an update in E.1 below (since posting this) which you may really want to read: consider turning off your anti-virus software's real-time protection against the cfclasses folder to see if that alone helps with startup.

[....Continue Reading....]

CF911: 'Help! I've updated the JVM which ColdFusion uses, and now it won't start!'

Has this happened to you?
  • You wanted to update the JVM which CF uses to use a new version
  • so you found some resource on the web showing how to update, and it seemed simple enough
  • and then you tried restarting CF and wham, it won't start
  • and now you're stuck wondering, "what happened? and how am I supposed to fix this?"

It's a tragic position to be in, of course.

There are several reasons why your attempt to update CF's JVM can fail.

And fortunately I can offer several things you can consider/look at, some of which may quickly recover from or be able to undo (depends on what you did). And all this applies to Lucee, Railo, and BlueDragon as well, though folder locations will differ.

In brief, here are the things you may have done wrong. See below for solutions or recommendations:

  1. You may have told the Java installer to install itself WITHIN the CF directory. You should not do that.
  2. You may have gotten the wrong kind of Java installer
  3. You may have gotten the wrong bit-level of Java for your bit-level of CF
  4. You may have gotten the wrong JVM for your OS
  5. You may have tried to use a JVM not supported by the version of CF you're running
  6. You may have pointed CF to the wrong JVM location
  7. You may have updated the JVM config for the cfusion instance, but not your other instances
  8. You may have forgotten to change the path's directory separator slashes on Windows
  9. You may have to copy the msvcr100.dll from the JVM's lib to CF's when updating older CF's to Java 7+
  10. You may have to copy the tools.jar from the JVM's lib to CF's when updating older CF's to Java 8+ (and delete some files compiled for the old JVM)
  11. You may find that Solr integration (and/or PDFG in CF11+) stops working, because you didn't realize you needed to edit *its* jvm config file

While I'm at it, I also cover:

  • Why you'll find that CF can't even STOP (let alone START) if you make a mistake with the JVM configuration
  • What JVM version(s) are supported by what versions of CF
  • Dealing with SSL Certificates you may have imported into a previous JVM
  • Beware leaving the Java installer to choose the "public jre" option

So this really became quite a compendium of resources on changing the JVM CF uses, but again the focus is on why CF may not start if you make certain very common mistakes.

[....Continue Reading....]

CF911: High CPU in ColdFusion? Some common but perhaps unexpected causes

I often help people who are reporting that CF is "running hot on the CPU", maybe reaching 80 or even 100% of the CPU, whether in spikes or for extended periods. What might you propose people look at, when you've heard that? I've heard all kinds of things over the years, often focused on coding, or perhaps jvm tuning.

But as is often the case in a lot of the CF server troubleshooting consulting I do, I find the causes to be far less often what most people seem to suspect. So what would I look for when someone reported high CPU in ColdFusion (or Railo)? Read on.

[....Continue Reading....]

CF911: Solving problem in ColdFusion Admin getting "error accessing this page" on certain actions

Here's a real CF911 challenge (and solution): You may find that when using the CF Admin, especially in CF10 but it can happen in CF 9 or 8 depending on security hotfixes applied, when performing certain Admin operations (like making a change, or verifying datasources, or checking for server updates) you get an error:

"There was an error accessing this page. Check logs for more details."

And your operation fails. You're then prompted to "Click here to login", but even if you back up or client another link, you'll be prompted with the CF Admin login.

What gives? Why is it happening? And how can you fix things? Is CF broken? No, not in the sense that you need to reinstall or anything. The good news is that there is a quite simple solution. Well, there are several, depending on your goals.

The simple solution: delete the duplicate cfid/cftoken or jsessionid cookies that you will find your browser is sending to CF. But there is much more to this, as well as other solutions, which would be worth most readers taking a few minutes to read on here.

BTW, the same root problem can be the cause of your own application's users finding that they can't stay logged in. More on that in a moment.

[....Continue Reading....]

Still more reasons to make sure you have updated your ColdFusion 10 web server connector

Several weeks ago, I did an entry, CF911: Why/when you MUST update the web server connector for #ColdFusion 10, and may have missed it.

In this entry, I want to throw in another reason why it's important to make sure you properly update (reconfigure/rebuild/upgrade) your web server connector after applying certain CF10 updates, or if applying only the latest update for the first time to a newly installed CF10 instance.

[....Continue Reading....]

CF911: Why/when you MUST update the web server connector for ColdFusion 10/11 and may have missed it

Have you installed or updated CF10 (or 11) and found that you still have problems with it running right, even when you have "fully updated" CF10? In this blog entry, I explain how it may NOT be that "CF 10 is broken" but rather that you may have missed an important step when updating it.

In brief, a VERY common problem is that while they MAY WELL have applied the provided "updates" for CF, folks often do NOT notice that they may have to (and generally must) "update" the web server "connector" (if they are using an external web server, like IIS or Apache) as a separate manual step, after applying the update.

I explain here what that means, how do to it, and why you may miss that you need to.

(Or if you'd rather just have me help you quickly help you analyze and rectify your situation, whether with regard to the connectors or any other CF server troubleshooting, I can do that in a brief consulting session, likely less than an hour, remotely and securely. I provide all the detail here for those who prefer to "go it on their own". For more on my consulting services, including rates, approach, satisfaction guarantee, and more, see the consulting page at carehart.org.)

[....Continue Reading....]

"Use UUID for cftoken" in ColdFusion Admin does always not block use of 8-digit cftokens

This topic came up on a discussion list, in the context of a larger thread, and I wanted to share here what I said there.

As an update since I first wrote this, it turns out this issue may or may not affect you depending on a couple of variables, which I will discuss, with a prefix of "update:" below. But don't dismiss this thinking you are not affected. I would propose that still far more CF servers may be exposed than not, as I will explain.

The CF Admin has (for several releases) offered an option called, "Use UUID for cftoken" (in the "Settings" section), and it's been intended as a security measure. Its purpose is to cause CF to use a UUID value (a long, complex string of numbers and letters) for the CFTOKEN cookie (and session variable) that CF generates, versus what used to be a simple, 8-digit value. This cookie, along with the simpler and incrementing CFID, is used to connect users to the session and/or client scope values created for that user in CF code.

Some may be surprised to learn, though, that while this setting DOES cause CF to *create* such UUID-formatted CFTOKEN values for requests that do not already present a CFTOKEN cookie, it does NOT necessarily cause CF to block any continued use of such simple, 8-digit cftoken cookies.

In other words, browsers which had visited your site before you turned on "use uuid for cftoken" would still send the 8 character cftoken they already had, not a uuid, and that could be accepted as valid by CF, even with that setting on, under certain conditions. (And the user will not be sent any new cftoken cookie in a UUID format, in CF's response, in those conditions.)

There's good and bad news related to this fact, which I will elaborate on below.

Update: Since writing this entry, I learned of a couple of factors that influence if and when this is a problem.

  1. It turns out that if you are using CF10, or CF9 or 8 with the "session fixation" hotfix (APSB11-04), then the problem only happens until you restart CF. The Admin does not currently warn you of this, so beware that you will have the exposure below until you do restart. (If you have added one of the later security hotfixes or cumulative hotfixes that came out since then, then you have gotten the fix.) This fix causes CF to create a new UUID-based CFTOKEN, if you turn on this feature at least (and after a restart) when a browser presents a previously created 8-digit cftoken.
  2. On the other hand, even if you are running CF 10, or running 8 or 9 and HAVE applied that hotfix, note that if you TURN OFF that fixation protection (by adding the -Dcoldfusion.session.protectfixation=false value to your jvm.config, as discussed in that technote), then you are back to the state that I discuss below.
  3. And of course, if you are on CF 8 or 9 and have NOT yet applied that APSB11-04 hotfix (or a later cumulative one that includes it), then you are indeed still vulnerable.

So that leaves still many people who could be affected by this. Even if it seems you may not be, you may want to continue reading this entry to understand what the issue is about, for you and others who may be impacted by it.

[....Continue Reading....]

CF911: New Adobe document about ColdFusion security hotfixes: required reading, I'd say

Here's a new document from Adobe (new as of last week, it seems) that you may have missed, but which I would argue is REQUIRED READING for all CF admins and developers:

Important hotfix-related notes for ColdFusion 9 and ColdFusion 10

What is this about? and why is it important? Read on below, as the document itself and current links from Adobe don't quite convey its significance, I think. For more perspective, I discuss below both what has happened to many folks after applying ColdFusion security hotfixes in recent years, and how this document helps.

[....Continue Reading....]

Part 2: Serious security threat for ColdFusion servers [now covered by a hotfix]

Since I posted my entry earlier today about a Serious security threat for #ColdFusion servers [not now covered by a hotfix], I have had many questions and discussions which lead me to share more info.

At first I was adding these as updates to the previous entry, but I fear that some who may have read it earlier in the day may then miss some of this new info, thus this "Part 2". You will definitely want to read part 1 before proceeding here.

[Update: And since writing this entry 2 weeks ago, Adobe has indeed now come out with a hotfix. I have more to say about that in the new Part 3: Adobe hotfix released for "Serious security threat for #ColdFusion servers". While you should proceed to get that fix in place, you'll likely benefit from reading parts 1, 2, and 3, as there's more discussed than just the thread and fix, itself, which could benefit you down the road.]

Among the new information shared below are such things as how the hack worked (not too much detail, though), how to determine what the exploit may have exposed, how to handle resolving things for many sites via scripting, how to lock down the /adminapi, /administrator, and /componentutils directories, and most important, why you should not skip all this just because "we already block all access to the CFIDE/adminapi" (and /administrator and /componentutils)". There may be exposure you're not considering.

[....Continue Reading....]

Serious security threat for ColdFusion servers [now covered by a hotfix]

Hey folks, there's a fairly serious security threat out in the wild, and you may want to check if your server's been hit. (It may be old news to some, but for now it's hitting people in the past week or so.) It's been confirmed to have hit at least CF9 (9.01 and 9.0.2) servers, but it seems it would apply to as well to CF10 or down to CF 7, as it leverages the Admin API.

And note that it's NOT one that you're protected against by having applied CF security hotfixes. (Updated Jan 15 2013, as Adobe now has a hotfix for this. More below.)

There's quite a bit for you to consider regarding this recent threat, as I discuss here.

[....Continue Reading....]

How to identify what jvm.config a ColdFusion instance uses (and vice-versa)

If you run ColdFusion in its Multiserver mode (multiple instances), you may know that you can configure things so that different instances use different jvm.config files, otherwise by default, all instances share just one. (If you didn't know how to change that, particularly if running CF as Windows Services, I'll offer some references explaining more.)

But have you ever wondered which jvm.config is used by a given instance? Or perhaps found multiple jvm.configs in your [jrun4]\bin directory and wondered which instance each went with? The answer isn't as straightforward as it may seem, when you're running CF as Windows Services. There's no single CF feature that reports this, but I do offer a solution here.

The simple answer is that one can find the information in the registry. The longer answer, including how to find that, as well as how to get that info more easily from the command line if you may prefer, follows.

[....Continue Reading....]

How to tell what, if any, hotfixes have been applied to ColdFusion (9 and earlier)

I often see people struggling with confusion over what hotfixes have been applied to CF. They may wonder "which have we applied?", or worse, they may not have applied any and just don't know "how to know" whether they have. I have good news, but it may not be the answer most would suspect.

The common answer offered is that one should use the "system info" page in the CF Admin, and its available "update level" field.

But I will assert that's not the "right answer" after all, or certainly not the "best answer" to really know what hotfixes (plural) have been applied. Know why? If not, I'll explain here, and I'll show what I would say is the "right" answer to "what hotfixes have you applied?"

[....Continue Reading....]

Could CF image processing be killing your ColdFusion server? Explanation and solutions.

Are you having slow ColdFusion pages and wondering what may be the cause? There can of course be many root causes, but a common one that I'm finding lately as I help people is due to using certain of CF's image processing features, especially resizing such as to create thumbnails after a file is uploaded (or when many files are uploaded).

Such folks may be using the CFIMAGE action="resize" tag, or the imageResize() or ImageScaleToFit() functions to do resizing. (Or they may be also processing images using ImageRotate, ImageShear, or ImageTranslate, though the defaults for those are not problematic like the resize/scale tag/function processing).

The "problem" (if this is the cause of a slow page) is due to a default "interpolation" setting for CFIMAGE resizing, imageResize, and ImageScaletoFit. The default may not perform well at all. The good news is that the value is configurable, and you can test to compare quality/performance of difference values, as will explained below. There are still some other things to consider also. (If you're currently using CFIMAGE to do resizing, jump to the last section of this entry to see an example of code switching from the "slow" approach to the faster one. But really, you ought to read the rest of this entry to understand what's being proposed.)

While I offer all the info here for your consideration, if you need help implementing the solution, or better understanding how to find and resolve these or other problems affecting your CF server performance, see more on my CF server troubleshooting consulting services.

[....Continue Reading....]

CF911: Latest CF Security hotfix technote updated (Mar 29) for issue with ColdFusion 8.0.1

If you are running ColdFusion 8.0.1 and may have applied the latest CF Security hotfix (APSB12-06) since it came out Mar 13 2012, note that there was an update to that on Mar 29, 2012.

The good news is that you just need to update the one hotfix jar. While it is discussed in the technote for the hotfix, the note about this update is sadly (currently) at the BOTTOM of the technote. I'll repeat what it says here, to give it some more visibility:

Note - Updated on March 29, 2012

Following bug is reported for ColdFusion 801 against this security bulletin hotfix.

java.lang.NoSuchMethodError Exception is thrown while using cffile upload.

We have updated the hotfix files of ColdFusion 801 to include the fix for the above issue. Users who have already applied the hotfix for ColdFusion 801 can just update the hotfix jar.

I'm pretty sure this is fixing what some found to be a reliance in the hotfix on your having applied one of the specific Cumulative hotfixes, but if someone had not, or if they inadvertently removed the CHF during the process of adding this single one, things would break. I'll note that the HF technote above does say very specifically what jars to remove, when applying the hotfix. Some people in haste instead delete all the hf and chf jars, or delete chf hars when it says to remove only hf jars. They so look similar in name.

I cover this issue of being careful about applying hotfixes (there are other mistakes you can easily make) in another blog entry I did, CF911: Are you finding CF (or CF Admin) busted after applying a hotfix? Three possible reasons.

And before someone chimes in to lament, "this is what's so wrong with the CF hotfix process, that mistakes can be easily made", I cover that too. The short answer is that Adobe is addressing this in CF10, and may even offer something to help us later for CF 8 and 9. We shall see.

Recording of my Adobe eseminar session, "Monitoring ColdFusion with FusionReactor"

After my barrage Friday of four entries on the CF Server Monitor, here's something instead on FusionReactor. Some may know that last week I did a talk on the Adobe ColdFusion eseminar series, "Monitoring ColdFusion with FusionReactor". I got word today that the recording link has been posted.

You can find the recording here. Note that you need to login with an Adobe ID, just like when you download Adobe software or participate in their forums. (I have no control over that.)

Since that link just goes right to the recording, here is the description I'd used for the session, to help decide if the recording may interest you. BTW, I clarify on the session that FR is useful for more than just ColdFusion, in that FusionReactor can be used for Railo, BlueDragon, and OpenBlueDragon, as well as in fact any Java server (Tomcat, JBoss, Jetty, Glassfish, Websphere, etc.), and the session applies just as well to folks using those.

My session: Monitoring ColdFusion with FusionReactor

Recording
Session Description:

[....Continue Reading....]

More Entries

Copyright ©2017 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting