Solving failure in applying Oct 2023 CF updates, or avoiding that failure
If you try to apply ColdFusion updates (including the latest released Oct 6) via the CF admin or command line and find that the update fails, the problem may be due to the JVM you're using (within CF or at the command line). There's a simple solution, which I discuss in this post.
TLDR; If you've configured either CF2021's java home to use Java 11.0.20 or later, or CF2023's java home to use 17.0.8 or later, you may find that applying CF updates ia the Admin will fail. You can apply the update via the command line, adding a needed new jvm arg:
-Djdk.util.zip.disableZip64ExtraFieldValidation=true
(to be placed BEFORE the -jar arg) in the java -jar ... command, as I discuss more in the 5th bullet point below. (If I've lost you with that simple suggestion, read the rest here. And all may benefit reading what precedes that suggestion, for context. I also offer other suggestions and info.)
thanks
But I do always want things to be correct, and I am happy to fix them immediately when I can. :-) So again, thanks for the heads-up.
Or consider accepting accessing it from localhost only.
Im seeing following errors -
404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
The requested URL was not found on this server!
If you entered the URL manually please check your spelling and try again.
Tomcat/ISAPI/isapi_redirector/1.2.46
Isapi_redirect.log showing following errors:
jk_check_path::jk_util.c (2476): Blocking this uri: [/CFIDE/administrator/index.cfm] since its starting with cfide
I am curious - on linux servers without GUI how to access CF Admin on 127.0.0.1 limitation ?
To your last question, one way is via ssh port forwarding. Another is via a web server acting as a proxy to the built-in web server--which circumvents ajp (and that uriworkermap.properties file, etc), for better or worse.
Finally, if you may prefer we resolve this directly (via remote consulting) rather than a lot of back and forth, we might solve things in as little as 15 mins. See carehart.org/consulting for more, including rates, approach, satisfaction guarantee, and online calendar.
Allowed IP Addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories
And as that came in I was writing this to expand on my last comment:
Yet another option, of course, is to open an ip-specific firewall hole for that Cf built-in web server (8500, by default), in conjunction with that allowed ip limitation in the admin. Even in a server not connected to the internet, you should be as worried about hacks from within your network as from without.
And of course a real web server (such as nginx port-forwarding to cf's) can also be configured with additional protections like ip limitations, private certificates, additional security protections etc. While the cf built-in web server (which is tomcat's web server) can do SOME of that, other web servers are far more popular and well-documented.
I've found no docs offering anyway to disable or modify this new behavior, though it may be possible.
Those "needing" to enable can circumvent it in iis or apache by using those to port forward to the cf built-in web server. (With iis, you must add its free ARR feature to do that.) Or you can use ssh tunneling (long discussed in lockdown guide, including section 6.4 of the 2023 guide.)
Finally, I know some argue "the DOD stig makes me disable that built-in web server". I addressed that in another thread 3 days ago (which included you, neowire, but no reply yet from you):
https://community.ad...
And someone happened to reply just an hour ago as I wrote. I have added a reply to them there.
And feedback is welcome here, but if on this specific matter it could be hard for some to keep up with both, consider checking out that thread before commenting here, and decide if it may make more sense there (and reach people there who don't know about this here).
However - for those that don't need remote access through a connector to CFAdmin, this is a big security improvement. I've shared some more thoughts on that here - https://hoyahaxa.blo...
There is an example of the ssh command you would use in the lockdown guide.
Basically how it works is you open a tunnel on your desktop that maps a local port number of your choosing to the remote server port (eg 8500) and the traffic runs through the ssh protocol when you browse to that mapped port on localhost.
Pete, thanks also, though fwiw I covered that in a comment above (https://www.carehart...), but perhaps I should add the info to the post, as surely others will read that without considering all the "commentary". :-)
So you lament (with others) that this change to the CF connector (not allowing access to the CF Admin) now effectively precludes you accessing the CF Admin at all, right? And that there's "no way around it"?
But that's not true. There are in fact SEVERAL ways you could "get around such a restriction", and none are hacks or tricks. They're just different from what most folks using the CF Admin are used to. (And most have been mentioned above in comments, but I realize some either may not read them or might miss something--or ignore it, because their focus is on "what will it take to change Adobe's change in allowed behavior".)
1) First, of course you could open a firewall hole to access the port of the CF built-in web server (since it seems you're not held to that CF stig's restriction against it). But that seems so simple an option that I guess you have a reason that that, too, is "not allowed". Is that perhaps because you're not allowed to open ports? Everything must go through port 80 or 443?
2) Either way, a second thing one can do is setup your external web server (IIS or Apache) to have a site that is NOT connected to CF via the connector (via the CF "web server configuration tool"), but rather is configured to FORWARD requests to that CF built-in web server port. (Then you're not opening that CF built-in webserver port for access OFF the server. It's being accessed only via a forward from the web server on the same machine. And you can use the web server's capabilities to restrict that other ways, like via IP or requiring additional auth, etc.) I had mentioned this in comments on Oct 11 and 17 above, where I noted also that with IIS you'd need to enable its ARR feature to get that port forwarding. Otherwise, Apache, nginx, and others offer it as an inherent feature.
3) Yet another option is to setup SSH port tunneling, where you get the security (and optionally key-based auth) of SSH but have it forward (even from off the server) to that CF built-in web server port ON the server. I'd mentioned that also in that Oct 17 comment, where I also pointed out how this is actually discussed (for Linux) in the CF lockdown guide.
But note that such port forwarding is NOT limited to Linux. One can do it just as well with Windows. (And Windows has had an ssh client built-in for some years now, along with an optionally enabled ssh server.)
Hope that helps someone. Perhaps I need to do a post or talk on these alternatives. I'm open to hearing of others.
(I should add that one could use just forego the CF Admin and use the new cfsetup CLI tool added in CF2021, which lets one add/change/delete/view any admin settings, or export/import them via JSON. But I realize that may not suit everyone as an alternative to accessing the CF Admin "at all". Then too, the CF2023 Central Config Server or CCS feature could also reduce the need for people to access the CF Admin at all. But the focus above is getting to the Admin without using an external web server's AJP connection, as made via the CF web server config tool.)